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CLASSIFIED INFORMATION SYSTEMS SECURITY MANUAL 


1. PURPOSE . This Manual provides requirements and implementation instructions for the graded 
protection of the confidentiality, integrity, and availability of information processed on all 
automated information systems used to collect, create, process, transmit, store, and disseminate 
classified information by, or on behalf of, the Department of Energy (DOE). The requirements are 
based upon applicable Federal statutes, regulations, National Security Directives, Executive 
Orders, procedures in Office of Management and Budget (OMB) Circulars and Bulletins, and 
Federal standards. 


SUMMARY . All information collected, created, processed, trans, 
by, or on behalf of, DOE on automated information systems n 
The loss or compromise of information entrusted to DOE 
economic competitive position, the environment, the n, 
citizens of the United States. The risk management app' 
its contractors provides for the graded, cost-effecjwe prote 
systems containing classified information. Prc^c^m of u: 
systems is provided for in DOE N 205.1, UJ^L.A£S 


CANCELLATION . DOE M 5639. 
FOR THE CLASSIFIED AUTOM 
PROGRAM, dated 7-15-94, is 
otherwise affect any contraj 
incorporated by reference i 
delete the reference t 

APPLICABIL 


a. 


General .^his 
automated 




stored, or disseminated 
level of protection, 
s may affect the nation’s 
OE missions, or the 
defied in this Manual for DOE and 
automated information 
assified automated information 
CYBER SECURITY PROGRAM. 




r OF SECURITY REQUIREMENTS 
1ATION SYSTEM SECURITY 
;ellation of a Manual does not, by itself, modify or 
To comply with such a Manual. Canceled Manuals 
rust remain in effect until the contract is modified to 
ents in the canceled Manuals. 


ual applies to Departmental elements responsible for protection of 
ation that is classified. 


b. Application to Contract s. This Manual applies to covered contractors (a DOE contractor 
or subcontractor subject to DOE Acquisition Regulation, Part 952.204-2, or other clause 
requiring protection of classified information, nuclear material, or other sensitive information 
or activities). For contractor requirements, see the contractor requirements document in 
Attachment 1. 

5. IMPLEMENTATION . Security requirements for classified information systems contained in this 
Manual and in DOE O 471.2A, INFORMATION SECURITY PROGRAM, must be 
implemented as follows. 


a. This Manual must be implemented no later than 6 months from the date of issuance. 
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b. Existing accredited classified information systems shall remain accredited until 
reaccreditation is required, either because the systems have passed the 3-year 
accreditation expiration date or because of significant changes in the security 
requirements of the classified information system. After implementation of this 
Manual, reaccreditation must be in accordance with this Manual and DOE O 471.2A. 


c. Classified information systems that have begun the certification and accreditation 
process before implementation of this Manual may be accredited under DOE M 
5639.6A-1. These systems will remain accredited until reaccreditation is required, 
either because the systems have passed the 3-year accreditation expiration date or 
because of significant changes in the security requirements of the information system. 
Reaccreditation must be in accordance with this Manual and DOE O 471.2A. 


d. New classified information systems that are under develq 
begun the certification and accreditation process befojj^ir 
must meet the requirements of this Manual and DC 


rected to the Classified 
2122 . 



ent afMthat have not 
mentjuon of this Manual 


5. DEFINITIONS . See Attachment 2. 

6. CONTACT. Questions concerning this Ma: 
Information Systems Security Program M< 


BY ORDER OF THE SECRETARY OF 


David M. Klaus 
Director of Management 
and Administration 
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CHAPTER I 


1-1 (and (1-2) 


CLASSIFIED INFORMATION SYSTEMS SECURITY PROGRAM OVERVIEW 


1. INTRODUCTION . The Classified Information Systems Security Program provides for the 
protection of classified information on DOE and contractor information systems. This Manual 
consists of three main elements: Management Structure, Risk Management, and Requirements. 
In this document, the term(s) “classified information system,” “information system,” or “system” 
are used to mean systems that process classified information. 


MANAGEMENT STRUCTURE . Management of the Classified Information Systems Security 
Program is performed through a multi-tiered structure. DOE notion seclude the Classified 
Information Systems Security Program Manager (ISPM), Da^i^™ted Aj»roving Authority(s) 
(DAA), and Classified Information Systems Security Onfl^itionsl^kij^r(s) (ISOM). Site 
positions, which may be held by DOE or contractor emf ^yj^ indime Classified Information 
Systems Security Site Manager(s) (ISSMs) and ClassifiecnSfon*ttion Systems Security 
Officer(s) (ISSO). Site positions also include anjl^^ition o’vmers/data custodians and users. 
Details of the management structure and resn^sibim«j^pin Chapter II. 


RISK MANAGEMENT . Risk rnanagap^ntTlRpnwss that considers the prevailing DOE 
threat analysis, the effect of counter^asures aj^red to the processing environment, the remaining 
vulnerability of the processing emviMnment (Jesidual risk), and the protection requirements and 
value of the information being p u ntermeasures are increased until the risk is reduced 

to an acceptable level or urifjg^i^^^of reducing the risk becomes prohibitive. If the DAA 
determines that the remainin^^k is not acceptable, management must then determine if the 
automation requiremeient to justify additional costs. Details of the risk management 
process and otheuyogima^management requirements are in Chapter III. The certification and 
accreditation rfTcess is ofcscribed in Chapter V. 



REOUlREMEm ^jrie Department’s classified information systems security process for 
achieving adequate protection based on levels of concern for the confidentiality, integrity, and 
availability of information is detailed in Chapter V. Requirements common to all systems are 
detailed in Chapter VI. These include sanitization, maintenance, personnel, and physical 
requirements. Protection requirements graded by levels of concern and confidentiality protection 
level are detailed in Chapter VII. These include audit, documentation, and testing requirements. 
Additional requirements for interconnected systems (networks) are detailed in Chapter VIII. 


5. OTHER RELATED POLICIES . This Manual provides protection requirements for classified 
information systems. Other DOE Orders and Manuals provide the specific requirements for 
classified communications, protected transmission systems, classified matter protection, and 
personnel and physical requirements. Determination of classification must be accomplished in 
accordance with DOE classification policy. 
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CHAPTER II 

MANAGEMENT STRUCTURE AND RESPONSIBILITIES 


The Classified Information Systems Security Program is managed through a multi-tiered structure. The 
structure includes an ISPM at DOE Headquarters, DAA(s), ISOM(s) at each DOE Operations Office, 
and ISSMs and ISSOs at the sites. The structure also includes application owners/data custodians and 
users of the systems. This chapter describes the roles and responsibilities of the individuals involved in 
the decision-making activities in the Program. 


CLASSIFIED INFORMATION SYSTEMS SECURITY PROGI 
The ISPM is a DOE employee knowledgeable in information ^ 
by the Director of the Office of Safeguards and Security (NMr5lj 
the following. a. 


a. Serves as the program manager for Classified Inform 
implementation of the Classified Info r m a do i^^s t e m 


'ity(^-5T^ 

iformcfcor^tyst 

/stems^Securitv 


1ANAGER fISPM l. 
purity and is appointed 
■PM is responsible for 


wystems Security and ensures 
curity Program within DOE. 


Develops and recommends DOE pol 
protecting information systems dpIH 
access to classified information 


s dplHol]l| 

Q 


anda;as, procedures, and guidelines for 
te, process, transfer, store, or provide 


Maintains a continuingreviewrfrllWvlanual to ensure that current technology is being 
applied to the protectmPf^ni^pation systems that create, process, store, transfer, or 
provide access tiwdassifm^Linformation and to eliminate those practices that are no longer 
needed or effectn*!^^^^ 


ApproviM^secure mi^pte diagnostic and maintenance facilities proposed for use with 
informatmn systems that process classified information. 


Annually reviews and updates, as needed, the Periodic Risk Assessment for the DOE 
Classified Information Systems Security Program and the DOE Statement of Generic Threat 
to Automated Information Systems. 

In coordination with the field, designates the DAA for information systems that operate 
under the jurisdiction of more than one Headquarters and field element. 


Reviews and concurs on accreditation for systems operating at Protection Level 5 or 6 that 
operate under the jurisdiction of one Headquarters or field element. 


h. Represents the DOE before Federal, private, and public organizations concerned with 
protecting classified information systems. 
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i. Reports changes in ISOM and DAA appointments to all DAAs. 

j. Coordinates- 


(1) with the Unclassified Computer Security Program Manager; 

(2) with the Office of Energy Intelligence on the protection of Sensitive Compartmented 
Information (SCI); 


(3) implementation of the Classified Information Systems Security Program with Classified 
Matter Protection and Control, Personnel Security, Physical Security, Communications 
Security, Protected Transmission Systems, TEMPEST,J^tfirials Control and 
Accountability, and other programs, as appropriate; 


(4) the development, publication, and distributio 
classified information systems. 



r the protection of 


k. Provides education, awareness, and traini 

/ 

(1) ensure that education in DOE ’s»)s^ffed ha formation Systems Security Program 
policies and practices is a^jiKe tWiei^Ms and ISSMs (scheduling of these 
educational activities mu^allow a^ lSoMs and ISSMs to participate within 1 year of 
their appointment); 

x 

(2) maintain a capall^^^Hii^ptate the electronic exchange of information systems 
security i n fauna tioi«iich as awareness alerts on sniffer attacks, viruses, etc.; 



(3) periodj^lly pipent information systems security workshops; and 

(4) peimdicall}yponsor an Information Systems Security Program training conference. 

Supports, maintains, and coordinates an advice and assistance capability for use by any 
ISOM or ISSM within DOE. The services provided by this capability must include the 
following. 


(1) Advice and Assistance Review s. Reviews of information systems protection as 
requested by the site, such as reviews of network designs or protection profiles of 
networks or systems. 

(2) Independent Validation and Verification fIV& Vf. Design, certification, and 
performance test reviews of networks or systems that process classified information. 
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m. Maintains and coordinates an incident response capability to provide timely assistance and 
system vulnerability information to DOE sites. 

n. Provides guidance for a technology development program to support the Classified 
Information Systems Security Program and periodically briefs DAAs, ISOMs, and ISSMs 
on activities and results of the program. 

o. Collects and disseminates information relevant to the Classified Information Systems 
Security Program. 


p. Monitors the Classified Information Systems Security Program findings and deficiencies 
resulting from surveys, inspections, and reviews. 

q. Conducts timely reviews of the system protection docmpaie^ on aJd the certification for 
information systems located in Sensitive Compartra^tecUn |^fion Facilities (SCIFs) 
received from cognizant ISOMs and provides coimkeiwto Office of Energy 


Intelligence. 

2. DESIGNATED APPROVING AUTHORITY 
appointed by the Operations Office Manag 
measures in an information system as 
Plan (ISSP), the results of any certification te 
risks of operating the system. T<te D|lA ma\ 
prior to meeting accreditation reqt 



y\^KI^TOAA is a DOE employee 
fshe irresponsible for evaluating the protection 
Classified Information Systems Security 


.in. 


te certification of the system, and any residual 
iesignate additional tests that must be performed 


With this appointmenjj 
accept the residual risl 
integrity of all d^^ifiet! 
include accrerftation, 
operations fomll class 
his/her jurisdictr 
the following. 


jtions Manager provides the DAA with written authorization to 
isibility for the loss of confidentiality, availability, and/or 
Formation systems under DAA jurisdiction. The authorization must 
jsional accreditation, withdrawal of accreditation, and suspension of 
lied information systems with operational boundaries fully contained under 
le ISOM may also be appointed as the DAA. The DAA is responsible for 


a. Serves as accrediting authority for each DOE and covered contractor classified information 
system with operational boundaries fully contained under his/her jurisdiction. 

b. Ensures that this Manual is implemented for each classified information system under his/her 
jurisdiction, that each system is accredited or reaccredited every 3 years (except for 
information systems that process SCI), and that the accreditation or reaccreditation is 
documented. 

c. Ensures that the accreditation of each system under his/her jurisdiction is withdrawn, and 
that the system is properly sanitized when the system no longer processes classified 
information or when changes occur that might affect accreditation. 
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d. Ensures that DAA authorities are delegated only to DOE employees who are 
knowledgeable in information systems security. 

e. Reports any changes in ISOM or ISSM appointments to the ISPM. 

3. CLASSIFIED INFORMATION SYSTEMS SECURITY OPERATIONS MANAGER!s i 

flSOML The ISOM is a DOE employee, knowledgeable in information systems security and 
appointed by the Operations Office Manager. The ISOM must participate in ISPM-sponsored 
training in the Classified Information Systems Security Program within 1 year of his/her 
appointment. The ISOM is responsible for the following. 


a. Communicates appropriate incident reports received from sites to the ISPM. 

b. Ensures periodic review of the Classified Information Sy«ms Semrity Program consistent 
with the Operations Office Survey Program at each s^un^^he^rrisdiction of the DOE 
operations office. 


c. Evaluates information systems for accredita^km and prWwPes results to the DAA. 


d. Monitors responses to findings and a 
reviews of each site’s Classified Infor 
necessary corrective or compe 

e. Coordinates the following:'* 




rert^ps identified in surveys, inspections, and 
ms Security Program to ensure that any 
ave been completed. 


(1) the Classified Inf«3atioTfl^stems Security Program with the Unclassified Information 
Systems Se#^ibLPn«am; 

(2) impMnPhtatiSTof the Classified Information Systems Security Program with 
recMirementgorother DOE programs, as appropriate, such as Classified Matter 
Pro^rtioi^^d Control, Personnel Security, Physical Security, Communications 
Securr^^rotected Transmission Systems, TEMPEST, and Materials Control and 
Accountability Programs. 


4. CLASSIFIED INFORMATION SYSTEMS SECURITY Site Manaeerfs! (ISSM ). The ISSM 
is appointed by the Site Manager to be responsible for implementation of the site Classified 
Information Systems Security Program. A separate ISSM may be appointed for information 
systems in an SCIF if the site determines that another ISSM is needed. In this capacity, the 
ISSM also functions as the site point of contact (POC) for all classified information systems 
security issues. The ISSM is responsible for the following. 


a. Ensures the development, documentation, and presentation of information systems security 
education, awareness, and training activities for site management, information security 
personnel, data custodians, and users. This training and awareness program must include, 
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but is not limited to, various combinations of classes (both self-paced and formal), security 
education bulletins, training films, computer-aided instruction, security briefings, and related 
educational aids. 


b. Ensures the development, documentation, and presentation of Information systems security 
training for escorts in information systems operational areas. 

c. Establishes, documents, implements, and monitors the Classified Information Systems 
Security Program for the site and ensures site compliance with DOE requirements for 
information systems. 

d. Ensures the development of procedures for use in the site Cl^^jed Information Systems 
Security Program. 


e. Identifies and documents unique threats to inform 




e site. 


f. Ensures that the site’s Classified Information Systems^o^Tty Program is coordinated with 
the Site Safeguards and Security Plan (S^l^uvithe Sinsecurity Plan (SSP) (see DOE O 
470.1, SAFEGUARDS AND SECURU^PROm^C Chapter I). 

g. Coordinates the following: 

(1) implementation of tha^it^kissifffi Information Systems Security Program with the 
other site programs, as such as Classified Matter Protection and Control, 

Personnel Secumf^^lJ^i^^Security, Communications Security, Protected 
Transmissionsvsten^TEMPEST, and Materials Control and Accountability; 


(2) devekp*nent^f^T site self-assessment program for the Classified Information Systems 
Sewritv Pro^r«n; and 



(3) self-aSfcRnent of the site’s Classified Information Systems Security Program, which is 
to be performed between operations office surveys. 


h. Ensures the development of site procedures to- 


(1) govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and 
destroying media and equipment containing classified information; 

(2) ensure that vendor-supplied authentication features (e.g., passwords, account names) 
or security-relevant features are properly implemented; 

(3) report classified information systems security incidents; 
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(4) require that each classified information system user sign an acknowledgment of 
responsibility (Code of Conduct) for the security of classified information systems and 
classified information; 

(5) detect malicious code, viruses, and intruders (hackers); and 

(6) review and approve ISSPs, certification test plans, and certification test results. 

i. Determines, using guidance from the data custodian(s), the appropriate levels of concern for 
confidentiality, integrity, and availability for each information system that processes classified 
information. 


j. Certifies to the DAA, in writing, that each ISSP has been irm^mented, that the specified 
protection measures are in place and properly tested, andjjpt theo^ssified information 
system is functioning as described in the ISSP. 


n. 


Ensures that personne 
restrictions and 



k. Recommends to the DAA, in writing, approval orl 
the certification statement. 


l. Ensures that the DAA is notified whe 
or when changes occur that might afl 

m. Participates in ISPM-sponsorej 
appointment. 


I the ISSP test results and 


ger processes classified information 


systems security training within 1 year of his/her 


liar 


►on the information system’s prescribed security 
before they are initially allowed to access a system. 


5. CLASSIFIED l^PfTfW TlON SYSTEMS SECURITY OFFICERfsl fISSO L The ISSO is 
responsible fq^the follawmg. 

a. Ensures irriptalleritation of security measures for each classified information system for which 
he/she is responsible. 


b. Identifies and documents any unique threats to classified information systems for which 
he/she is the ISSO and forwards them to the ISSM. 


c. If so directed by the DAA and/or if an identified unique local threat exists, performs a risk 
assessment to determine if additional countermeasures beyond those identified in this Manual 
are required. 

d. Develops and implements a certification test plan for each classified information system for 
which he/she is the ISSO, as required by this Manual and the DAA. 
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e. Prepares, maintains, and implements an ISSP that accurately reflects the installation of 
protection measures for each classified information system for which he/she is responsible. 

f. Maintains the record copy of the ISSP and related documentation for each classified 
information system for which he/she is the ISSO. 

g. Notifies the DAA (through the ISSM) when a system no longer processes classified 
information, or when changes occur that might affect accreditation. 


h. Ensures the following: 


(1) that the sensitivity level of the information is determineimor to use on the classified 
information system and that the proper security mea^ffes an^np 1 emented to protect 
this information; 


(2) that unauthorized personnel are not granted u 
information system; and 


(3) that formal access controls are i 
except stand-alone personal co 




ss to, a classified 


ach classified information system, 
alone workstations. 


Documents any special protectmn requitt'mfuts identified by the data custodians and the 
protection measures implement^to fujfll these requirements for the information contained in 
the classified information sj^ 



Ensures that con l 
each classified iri 


J- 


k. Implem«Tts site nrolpdures to- 


integrity, and availability levels of concern are determined for 
stem for which he/she is responsible. 


(1) govem^Kung, handling, controlling, removing, transporting, sanitizing, reusing, and 
destroying media and equipment containing classified information; 


(2) ensure that vendor-supplied authentication features (e.g., passwords, account names) 
or security-relevant features are properly implemented; 


(3) report classified information systems security incidents; 

(4) require that each classified information system user sign an acknowledgment of 
responsibility (Code of Conduct) for protecting classified information systems and 
classified information; 


(5) detect malicious code, viruses, and intruders (hackers); and 
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(6) review and approve ISSPs, certification test plans, and certification test results. 

l. Ensures that users are properly trained in system security by identifying classified information 
systems security training needs (including system-specific training) and personnel who need 
to attend system security training programs. 

m. Conducts ongoing security reviews and tests of classified information systems to periodically 
verify that security features and operating controls are functional and effective. 


n. Evaluates proposed changes or additions to the classified information systems and advises 
the ISSM of their security relevance. 


TA 


6. CLASSIFIED INFORMATION SYSTEMS APPLICATION O, 
CUSTODIAN. 


a. Determines and declares the sensitivity level of irn mraJ ffbn Qiior to the information being 
processed, stored, transferred, or accessed on the clas^ted^mformation system. 



b. Advises the ISSO of any special prote^ifOn re 
the classified information system. 


its for information to be processed on 


c. Determines and documents thefiata and^ppncation(s) that are essential to the fulfill the site 
mission and ensures that ra^ii^ients contingencies are determined, implemented, and 
tested. 

d. Ensures that inframation^nrocessed on a classified information system that is accredited at 
a level sufficientVp^fcil^e information. 


7. USERS OF CJASSIFffil^INFORMATION SYSTEMS . 

a. Comply Classified Information Systems Security Program requirements. 


b. Be aware of and knowledgeable about their responsibilities in regard to classified 
information systems security. 


c. Be accountable for their actions on a classified information system. 


d. Ensure that any authentication mechanisms (including passwords) issued for the control of 
their access to classified information systems are not shared and are protected at the highest 
classification level and most restrictive classification category of information to which they 
permit access. 
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e. Acknowledge, in writing, their responsibilities (Code of Conduct) for protecting classified 
information systems and classified information. 

f. Participate in training on the information system’s prescribed security restrictions and 
safeguards before initial access to a system. As a follow-up to this initial training, participate 
in an ongoing security education, training, and awareness program. 
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III-l 


RISK AND PROGRAM MANAGEMENT 


1 . 


2 . 


INTRODUCTION . The cornerstone of the Classified Information Systems Security Program is 
the risk management process, which determines the protection requirements for DOE information. 
Risk management balances the data custodian’s perceived value of the information and his/her 
assessment of the consequences of loss of confidentiality, integrity, and availability against the 
costs of protective countermeasures and day-to-day operations. DOE’s risk management 
process includes the following interrelated phases: 


a. threat analysis; 


b. 


c. 


risk analysis that evaluates generic threats, technolo(| ^itectures and integrates 

associated findings into DOE directives governing systems; 


data custodians’ declarations of the conseaue 
availability; 



smf confidentiality, integrity, and 


d. site program implementation th^P^luSkitl^fmique concerns of the site (i.e., threats, 
protective technologies, procemres, etcJ an?Tintegrates those concerns with site operations; 

e. system implementation thatfflkntM^mvaluates, and integrates the impact of information 
loss, system vulnerabn^^Bfc^pustodian protection requirements, cost of protective 
measures, and mkyon retirements; and 


f. system onpBjon wdrre the remaining risk (residual risk) is accepted and oversight is 
initiated^) ensurcvtl^t the level of residual risk is managed throughout the information 
system’«fe cyclJ. 


THREAT ANALYSIS . The analysis of information threats identified by national and DOE 
organizations provides the basis for protecting DOE’s classified information. The ISPM must 
annually review the national information threat posture. The results of this review must be used to 
develop or update the DOE Statement of Generic Threat to Automated Information Systems. 


3. DEPARTMENTAL RISK ANALYSIS . This process begins with an analysis of information 
architectures and technologies to determine how information with different sensitivities can be 
protected on a system. A risk assessment is then performed using this analysis and the DOE 
Statement of Generic Threat to Automated Information Systems. The results of this risk 
assessment are used as the basis to develop the protection countermeasures for DOE’s 
information. 
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a. Periodic Risk Assessmen t. For DOE Classified Information Systems Security Program, the 
ISPM must maintain a constant awareness of how technology, technology trends, 
information architectures and information standards relate to protecting information. The 
ISPM must use this information and the DOE Statement of Generic Threat to Automated 
Information Systems to perform and update the Periodic Risk Assessment for the Classified 
Information Systems Security Program. 


4. 


5. 


6 . 


7. 


b. Changes to Directive s. If either the DOE Statement of Generic Threat to Automated 

Information Systems or the Periodic Risk Assessment for the Classified Information Systems 
Security Program is changed, the ISPM must identify and recommend changes to 
requirements in DOE O 471.2A and this Manual. 


DATA CUSTODIAN RESPONSIBILITIES . The custodian ofj 
collected, created, processed, transmitted, or stored on an a^ 
determination of the level of sensitivity and classification 


SITE PROGRAM IMPLEMENTATION . The site risk 
the Site Security Plan (SSP) or the Site Safegu 
Departmentwide Classified Information Sy: 
identify any site-specific threats. The site 
technologies unique to the site. The 
used to augment, as needed, the Clarified In, 
to information systems at the si 




of information 
m must ensure the 
on the automated system. 


, performed as a function of 
Plan (SSSP), must include the 
isk Assessment as a baseline and must 
must consider any protection 
risk assessment must be documented and 
tion Systems protection profiles to be applied 


NEW OR MODIFIED SYg^ P^*i^^ TJ1 ^ /rT ™ TATTnM The system implementation process 
begins when the level^afcon^m and protection level of the information to be processed are 
identified, as describe«^^^^pr IV. This information forms the basis for the protection profile. 
The protectionjprfle rMprements are then integrated into the information system’s design, 
implementati«, and operation. 


SYSTEM OPEr 


The final phase of the risk management process is acceptance of risk 
through certification and accreditation (see Chapter V) and the protection of information during 
day-to-day operations. 


8. INCIDENT REPORTING . In addition to the reporting requirements of DOE O 232.1A, 
OCCURRENCE REPORTING AND PROCESSING OF OPERATIONS INFORMATION, 
dated 7-21-97, the ISOM must ensure that incidents affecting DOE or national interests are 
reported (via telephone or other electronic means) to the ISPM. The report must include at least 
the location of the incident, possible effect on DOE or national interests, a description of the 
incident, and a description of the actions that were taken to protect information after the incident 
was discovered. All individual(s) collecting information about or reporting an incident must ensure 
that any sensitive or classified information involved in the incident or report is properly protected. 
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a. The following incident reporting requirements apply. 

(1) Affects Site Interest s. If the incident affects only site interests, the site must collect and 
maintain information about the incident, such as location, description, resources needed 
to respond to the incident, and actions that were taken to protect information after the 
incident was discovered. The DAA must provide this information on request from the 
ISPM. A quarterly summary report must be submitted to the ISPM through the 
ISOM. 


(2) Affects DOE or National Interes ts. Any incident that affects DOE or national interests 
must be reported to the ISOM immediately after detection. The ISOM must report 
the incident to the ISPM within 1 hour of receiving the^^eport. 


b. The ISPM will periodically issue instructions regard! 
specifying information to be reported. 


9. OVERSIGHT . 

a. ISOM Program Review s. The ISOM 
Classified Information Systems Sec 


ISSM Self-Assessment s. The 
program are performed, 
corrective action plan i^prei? 
directed by DOE O 4 
subsequent corn 
and inspections. 



utes an incident and 


fst ensii1^tj|lf periodic reviews of the site’s 
5gram are performed. 


10. SITE SAFE 
the Classifie 




SM meat Sfsure that periodic self-assessments of the site’s 
mpledlln of each review, the ISSM must ensure that a 
mplemented for all findings or vulnerabilities as 
IX, Paragraph 10a. A record of each review and the 
plan must be retained and made available during future surveys 


SECURITY PLAN . The SSSP must contain information regarding 
n Systems Security Program as detailed in DOE O 470.1. 
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IV-1 


PROTECTION PROFILES 


1. INTRODUCTION . A protection profile is a description of the protection measures required for 
a particular information system. A protection profile reflects the prescribed protection measures, 
which are determined by- 


a. the protection level for confidentiality. 


b. the level of concern for integrity and availability, and 

c. the operating environment of the system as reflected l^tfil 
user environment. 


2. LEVEL OF CONCERN . The level of concern reflects the^^cj^ed sensitivity of the 
information and the consequences of the loss oic^tidentiaht^integrity, or availability. 





f trust embodied in the 


( nsensitivity matrices presented here are 
protection level and the levels of concern 
a given classified information system 
e matrices (Tables 1, 2, and 3) should be used as 


a. Information Sensitivity Matric es. Tf 
designed to assist in determining 
for confidentiality, integrity, an availat 
processing a given set of ii^prnittion. 
follows. 


(1) A determinism of n^eh, medium, or low must be made for each of the three attributes: 
confidentiaMv^^l^ty, and availability. It is not necessary for the level of concern to 
be thMWne f^^ul attributes of the system. 


(2) Th«DAA oJme data custodian may determine that additional protection measures 
(beyOTltairose required by the specified levels of concern) are necessary to achieve an 
acceptable level of risk. 


b. Confidentiality Level of Conce rn. In considering confidentiality, the principal question is the 
necessity for supporting the classification levels and the types of information (e.g.. Secret 
Restricted Data [SRD] Sigma 15) on the system in question. The Protection Level Table 
for Confidentiality (Table 4) combines the processing environment with the level of concern 
for confidentiality to provide a protection level. The protection level is then applied to Table 
5 to provide a set of graded requirements to protect the confidentiality of the information on 
the system. This graded approach to requirements provides sufficient and necessary 
protection for the information on the system without requiring unnecessary protections for 
systems where the level of concern for confidentiality is low or medium. 
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Table 1. Information Sensitivity Matrix for Confidentiality. 


Level of Concern 


Medium 


Qualifiers 


All SCI 

All Special Access Programs (SAPs)/Special Access Required (SAR) 
All information protecting intelligence sources, methods, and analytical 
procedures 

All Single Integrated Operational Plan (SIOP) 

All Crypto 

SECRET RD (SIGMAs 1,2,14,15) and TOP SECRET 


SECRET 

SECRET RD (All other SIGMAs) 


CONFIDENTIAL 


es (beyond those 
e level of risk. 


Level of Concern 


Qualifiers j 


Absolute accum^^^^H^u for mission accomplishment; or loss of life migh 
result fi^pn^|^m(egrity; or loss of integrity will have an adverse effect oi 
national-leml interests; or loss of integrity will have an adverse effect on 




Medium 


gree of accuracy required for mission accomplishment, but not 
or bodily injury might result from loss of integrity; or loss of 
rity will have an adverse effect on organizational-level interests. 




Reasonable degree of accuracy required for mission accomplishment. 


NOTE: The DAA or the data custodian may determine that additional protection measures (beyond those 

required by the specified level of concern) are necessary to achieve an acceptable level of risk. 


Integrity Level of Concer n. In considering integrity, the principal consideration is the need 
for accuracy of the information on the system in question. 


Availability Level of Conce rn. In considering availability, the principal consideration is the 
need for the information on the system in question to be available in a fixed time frame to 
accomplish a mission. 
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Table 3. Information Sensitivity Matrix for Availability. 


Level of Concern 


Medium 


Qualifiers 

Information must always be available upon request, with no tolerance for 
delay; or loss of life might result from loss of availability; or loss of 
availability will have an adverse effect on national-level interests; or loss of 
availability will have an adverse effect on confidentiality. 

Information must be readily available with minimum tolerance for delay; or 
bodily injury might result from loss of availability; or loss of availability wil 
have an adverse effect on organizational-level interests. 


Information must be available with flexible tole 


' delay. 


NOTE: 


NOTE: 


In this context, “High - no tolerance for delay” means no delay; 
means a delay of seconds to hours; and “Low - flexible tolerana 
weeks. A 


M^diu^^nininJIm tolerance for delay” 
Tor da1a)^«e^re a delay of days to 


The DAA or the data custodian may determine that additional prd™tia#measures (beyond those 
required by the specified level of concern) are necessat^Bo achiev&anacceptable level of risk. 


PROTECTION LEVEL . The protectiorUe^^F a cyssified information system is determined by 
the relationship between two sets of JffEts: (1) n^ffearance levels, formal access approvals, and 
users’ need-to-know; and (2) the lev® of conArn for classification. The protection level 
translates into a set of requireme^s m^yj^rbe implemented in the resulting system. Table 4 
presents the criteria for detap^mn^j^ following six protection levels for confidentiality: 


Systems are opelB 
formal access appj 


^ection Level 1 when all users have all required clearances, 
d the need-to-know for all information on the system. 


System Are operMi* at Protection Level 2 when all users have all required formal 
apptovato all information on the system, but at least one user lacks 
administrative approvals for some of the information on the system. This means that all users 
have all required clearances and all required formal access approvals, but at least one user 
lacks the need-to-know for some of the information on the system. 


c. Systems are operating at Protection Level 3 when at least one user lacks at least one 

required formal approval for access to some information on the system. This means that all 
users have all required clearances, but at least one user lacks formal access approval for 
some of the information on the system. 


d. Systems are operating at Protection Level 4 when at least one user has only a DOD Secret 
or DOE L clearance, and the level of concern for confidentiality is high. 
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e. Systems are operating at Protection Level 5 when at least one user has no clearance, and 
the information on the system is classified no higher than Secret and contains no Sigma 1, 2, 
14, or 15 (i.e., the level of concern for confidentiality is low or medium). 

f. Systems are operating at Protection Level 6 when at least one user has no clearance, and 
the level of concern for confidentiality is high. 

4. PROTECTION PROFILES. 


Common Requiremen ts. Requirements common to all systems are detailed in Chapter VI. 

Graded Requirement s. Protection requirements graded by le^^mf concern and 
confidentiality protection level are detailed in Chapter VU^The tables included here present 
the requirements detailed in Chapter VII. To use thest^aD^^findlie column representing 
the protection level for confidentiality, or find the rwej^ypting the level of concern 

for integrity or availability. ± 


(1) Confidentiality Componen ts. Confuipn?»ity cormronents describe the confidentiality 
protection requirements that mus^^implakgodta in an information system using the 
profile. Confidentiality protectlltujfmienients are graded according to the 
confidentiality protection lg^Ht thStu^porate levels of concern. 



Table 4. Protefclio%Levcl # ble for Confidentiality. 


Level of 
Concern 



Medium or Low 


High or Medium DOD Secret or 
DOE L 


High, Medium, or At Least Equal to 
Low Highest Data 


High, Medium, or At Least Equal to 
Low Highest Data 


High, Medium, or At Least Equal to 
Low Highest Data 


■^.Access 

Approval 

► 

Need-To-Know 

Protection 

Level 

NOT ALL Users 

Have ALL 

NOT ALL Users 

Have ALL 

6 

NOT ALL Users 

Have ALL 

NOT ALL Users 

Have ALL 

5 


NOT ALL Users 
Have ALL 


NOT ALL Users 
Have ALL 


ALL Users Have 
ALL 


ALL Users Have 
ALL 


NOT ALL Users 
Have ALL 


NOT ALL Users 
Have ALL 


NOT ALL Users 
Have ALL 


ALL Users Have 
ALL 
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Table 5. Protection Profile Table for Confidentiality. 


Confidentiality Protection Level 


Requirements (Paragraph) 


Audit Capability (VII.3) 

AUD-1 

AUD-2 

AUD-3 

AUD-4 

AUD-4 

AUD-5 

Communications (VII.6) 

COM-1 

COM-1 

COM-1 

COM-2 

COM-1 

COM-1 

Configuration Management (VII.7) 

CM-1 

CM-1 

CM-2 

CM-3 

CM-3 

CM-3 


Independent Validation and 
Verification (VII.9) 


Resource Access Controls (VII. 10) 


Resource Utilization 
(VII. 11) 


Session Controls (VII. 12) 


Security Documentation (VII. 13) 


Separation of Functions (VII. 14) 


System Recovery (VII.15) 


Security Support Structure (VII.16) 


Security Testing (VII. 17) 


Trusted Path (VII. 18) 


RAC-3 RAC-3 


RU-2 



SC-3 


SD-2 


SF-1 


SR-2 


SSS-3 


ST-3 


TP-1 


SC-3 


SD-2 


SF-1 


SR-2 


SSS-3 


ST-3 


TP-1 



(2) Integ ri ty Cyhponent s. Integrity components describe the integrity protection 
requirements that must be implemented in an information system using the profile. The 
integrity protection requirements are graded according to the integrity level of concern. 

(3) Availability Componen ts. Availability components describe the availability protection 
requirements that must be implemented in an information system using the profile. The 
availability protection requirements are graded according to the availability level of 
concern. 

SIGNIFICANT RISK SYSTEMS . Systems operating at Protection Level 5 or 6 present a 
significant risk of the loss of classified information. Systems operating at these levels may 
operate in within a protected environment or have connections that provide encrypted data to 
pass over public switched networks. Direct connections to public switched networks, without 
absolute assurance that all communications are encrypted, are not permitted. 
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Table 6. Protection Profile Table for Integrity. 


Requirements (Paragraph) 

Intej; 

Low 

>rity Level of Cor 

Medium 

icern 

High 

Audit Capability (VII.3) 

AUD-1 

AUD-2 

AUD-4 

Backup and Restoration of Data (VII.4) 

BRD-1 

BRD-2 

BRD-3 

Changes to Data (VII.5) 

CD-I 

CD-I 

CD-2 

Communications (VII.6) 

COM-1 

MiStl 

COM-2 

Configuration Management (VII.7) 

CM-1 


CM-3 

Security Support Structure (VII. 16) 

SSS-1 ^ 


SSS-3 

Security Testing (VII. 17) 

■E£^l 


ST-3 


Table 7. ProtectiqH0Wbfiil&aN(Ffor Availability. 


Availability Level of Concern 


Requirements (Paragrrq^^^^J 

L Low 

Medium 

High 

Alternate Power Source 

APS-1 

APS-2 

APS-3 

Backup and Rest^^^i of ^gta (VII.4) 

BRD-1 

BRD-2 

BRD-3 


DRP-1 

DRP-2 

DRP-3 

| Security Support Structure (VII. 16) 

SSS-1 

SSS-2 

SSS-3 


Any connection of these systems to other agencies will require a memorandum of understanding 
stating that the system/network being connected either- 

a. is not connected to the public switched network, 

b. is not connected to another system/network that does not use encrypted connections to the 
public switched network, or 
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c. is connected to the public switched network and uses approved encryption methods for that 
connection.. 


6. SUBSTANTIAL RISK SYSTEMS . Systems operating at Protection Level 4 present a 
substantial risk of the loss of the separation and need-to-know protection provided by 
compartmentation. DAAs must recognize the technical risk of operating such systems. 


7. SPECIAL CATEGORIES . Several categories of systems can be adequately secured without 
implementing the protection measures specified in Chapter VII. These systems are not 
“exceptions” or “special cases” of the protection levels specified in this chapter; however, 
applying the protection requirements specified in Chapter VII to these systems by rote results in 
unnecessary costs and operational impacts. In general, the techni^^estions are where, when, 
and how to apply a given set of protection measures, rather thajj^hetbmto apply the measures. 
For many of these “special” systems (such as guards or pur^en^s andJactical, embedded, 
data-acquisition, and special-purpose systems), the physyBi seaprr%i»tections for the system 
provide the required access control while the application huad nng jp the platform provides the 
required user separation. 

a. Pure Servers . 

(1) Certain specialized system^fllleh fctina^lfs pure servers in a network, do not fit the 
protection level criteria an may n aawwer protection measures. These systems have 
the following charactttdso 





n the system, 

^^jjMistrators and maintainers can access the system, 

^provides non-interactive services to clients (e.g., packet routing or 
g services), 

(d) the hardware and/or application providing network services otherwise meets the 
protection requirements of the network, 

(e) the risk of attack against the Security Support Structure (SSS) using network 
communication paths is sufficiently low, and 


(f) the risk of attack against the SSS using physical access to the system itself is 
sufficiently low. 


(2) The platform (i.e., hardware and operating system) on which the guard or pure 
server runs usually needs to meet no more than Protection Level 3 security 
requirements. The guard or pure server may have a large number of clients (i.e., 
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individuals who use the guard’s or server’s functional capabilities in a severely 
constrained way). The guard application or server application itself will have to 
provide the more stringent protection requirements appropriate for the system’s 
protection level and operational environment. Assurances appropriate to the levels of 
concern for the system must be implemented. 

(3) Systems that do have general users or do execute general user code are not “pure 

servers” within the meaning of this section and so must meet all protection requirements 
specified for their protection level and operational environment. 


(4) The term “pure server” is not intended to limit the applicability of this section to 


systems that have traditionally been referred to as servej 
system that happened to be implemented on a gener^ 
could be accredited under this Manual, and if sud^a : 

(1), above, the system’s protection requiremepiFCOi 
of the Manual. 


( 5 ) 


The above easing of protection 
security requirements (e.g., phys 
are determined by the informal 
above, this easing of prote 
of physical security and ci ?r appn 


b. Tactical. Embedded. Data-A' 


cannot be altered by 


of predetermine^ 
category, as do sf 
These system als? 
general mers on. 
the DAAdetermi 





example, a messaging 
computer platform 
ets the specifications in 
gorized by this section 


^ots doe^Gt imply any relaxation in other 
id c^yTj^ffiications security requirements), which 
-'protected by the system. As stated 
ts is predicated upon adequate application 
Te security disciplines. 


tand Special-Purpose Syste ms. Some systems 
esigned and implemented to provide a very limited set 


^nctioT^ Certain tactical or so-called “embedded” systems fall into this 
u^^yr^iuisition systems and some other special-purpose systems, 
we the characteristics that first, and most importantly, there are no 
system and, second, there is no user code running on the system. If 
?s that such a system is sufficiently incapable of alteration, and that the 
applicatioilflpflfFming on the system provide an adequate level of security, then the system 
does not have to meet additional protection requirements specified for more-general- 
purpose systems in this Manual. DAAs and implementors are cautioned to be sure that such 
systems do, in all operational situations, provide the separation appropriate to the system’s 
protection level. 


c. Systems with Group Authenticato rs. Many protection measures specified in this Manual 
implicitly assume that the system includes an acceptable level of individual accountability. 
This is normally ensured by the use of unique user identifiers and authenticators. 
Operationally, the design of some systems necessitates more than one individual using the 
same identifier/authenticator combination. Such situations often require the use of group 
authenticators. 
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In general, the use of group authenticators precludes the association of a particular act with 
the individual who initiated that act. In turn, this can preclude assignment of responsibility 
and can exacerbate the difficulties involved in incident investigation. Group authenticators 
must be used only for broader access after the use of a unique authenticator for initial 
identification and authentication. The use of group authenticators must be approved by the 
DAA. 


Single-User. Stand-Alone System s. Extensive technical protection measures are normally 
inappropriate and inordinately expensive for single-user, stand-alone systems. DAAs can 
approve administrative and environmental protection measures for such systems, in lieu of 
technical ones. Systems that have one user at a time, but have a total of more than one user 
with no sanitization between users, are multi-user systems, DAA must consider the 

systems as such in determining the protection level and tl^m'sumw protection requirements. 
Systems that have one user at a time, and are sanitize^pet^gn usips, are periods 
processing systems as described below. 


Periods Processing . Periods processing is a 
sequentially that provides the capability t^p 
at distinctly different times. Periods 
than one user or group of users (seq 
not have the same need-to-kno 
information or use an informal 




( 1 ) 


( 2 ) 




Sanitization After Us e? 
by more than on^ 
separate media, 
each user be 


ethod o ^py ating an information system 
ss information at various levels of sensitivity 
es the capability to either have more 
ingle-user information system who do 
orized to access different levels of 
ore than one protection level (sequentially). 


ation system is used for periods processing either 
segregating information by classification level onto 
must specify the sanitization procedures to be employed by 
r each use of the system. 



ween Period s. The information system must be sanitized of all 
infftmationlefore transitioning from one period to the next [e.g., whenever a new user 
does^y^we access authorization or the need-to-know for data processed during the 
previous period, which is changing from one protection level to another]. The DAA 
must document and approve such procedures, which could include, among others, 
sanitizing nonvolatile storage, exchanging disks, and powering down the information 
system and its peripherals. 


(3) Media for Each Period . Information systems employed in periods processing must 
have separate media for each period of processing, including copies of operating 
systems, utilities, and applications software. 


(4) Audit . If several people are using the system, and the system is not capable of 

automated logging, the DAA must consider requiring manual logging. Audit trails are 
not required for single-user, stand-alone systems. 
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8. PROTECT AS RESTRICTED DATA fPARDL 

a. Site Authorization to Use PARD Designati on. Any site wishing to use the PARD 

designation must receive prior approval from the Director, Office of Nonproliferation and 
National Security. The ISOM may limit use of the PARD designation to specific 
organizations at a site. Use of the PARD designator will be discontinued permanently on 
June 30, 2002. 


b. Handling and Control of PARD Informati on. The security measures contained herein apply 
only to PARD information as it appears as output, hereafter referred to as “PARD output.” 


( 1 ) 


( 2 ) 

( 3 ) 

( 4 ) 

( 5 ) 


Only printed computer output may be marked PARD. ^^^onic media (disks, tapes, 
etc.) and computer systems may not be marked PARJ^Wit^k the classified 
information system (including communication lij^sj^formalon that will be labeled 
PARD when it is in printed form is design a tedjn S eaen^B^i c ted Data. 

PARD output may be generated only on classi fUtin filiation systems that have been 
accredited to process information at th^^gh levelsrconcern for confidentiality. 

PARD output may be used only Jpa DJ^E liT^IPd or protected area. 

PARD output may be acayf^Ponon ne 1 who have a Q access authorization 
and a need-to-know. 




Appropriately tr ained u: 
PARD marking 


aragraph 8c, below) may determine the use of the 
mation. The PARD marking must be used only- 


if the Artpfc^v^ontain limited quantities of classified information that is not 
ptily ^ognized as classified because it is contained in large quantities of 
information and 

PVRD output contains a substantial volume of data with a low density of 
potentially classified information. 


(6) PARD output must be conspicuously marked on each page or sheet with the words 
“PROTECT AS RESTRICTED DATA.” Where space does not allow, the letters 
“PARD” may be used. This marking must be applied when the PARD output is 
originated. All PARD output must show the date of origination. 


(7) When not in use, PARD output must be stored as follows: 

• within a limited or protected area in a manner authorized for Secret Restricted 
Data documents (see DOE M 471.2-1B, CLASSIFIED MATTER 
PROTECTION AND CONTROL MANUAL); 
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• in a secure storage container or filing cabinet equipped with a locking device; or 

• in an area that is administratively controlled during work hours and maintained 
under locked conditions during nonwork hours. 

The keys/combinations for any locks used to protect PARD must be administratively 
controlled and available only to persons with at least a Q access authorization and a 
need-to-know. 


(8) PARD output must be destroyed in the same manner as Secret Restricted Data 
documents (see DOE M 471.2-1B). 


(9) PARD output to be transferred from the site on which 
must be reviewed for classification (DOE M 475.1-. 
INFORMATION) and, if classified, must be maj^d 
transferred as any other classified document (S^E 
transferred between points within a limited onka^cte 
protected areas located at the same sitejjiust be r 
who has a Q access authorization. B«t 
must be protected as a Secret Re 


c. Training of PARD User s. The 
at a site approved for the use 0 | 
output by ensuring that eai 
handling PARD output A u 
he/she has received a] 

Manager must eoniie thi? 
PARD output is 
with this 




paginated to another site 
YING CLASSIFIED 
rotected, and 
B). PARD output 
ea or between limited or 
ersonal custody of a person 


limitaa or protected areas, PARD output 
a^dpcument (DOE M 471.2-1B). 




Protection and Control (CMPC) Manager 
must ensure proper control and use of PARD 
r e of the special security measures necessary for 
be allowed to use the PARD designation until 
ining as specified by the CMPC Manager. The CMPC 
eriodic reviews are conducted to ensure that accumulation of 
mimum and that the PARD marking is being used in compliance 
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CERTIFICATION AND ACCREDITATION 


1. OVERVIEW . The certification and accreditation process begins after protection measures have 
been implemented and any required classified information system protection documentation has 
been approved. The certification process confirms that the protection profile described in the 
ISSP has been implemented and that the protection measures are functioning properly. This 
process culminates in an accreditation for the system to operate. 


CERTIFICATION PROCESS . The certification process confirm^^uhe system’s protection 
measures have been correctly implemented in accordance witfy^selewd protection profile. 


Independent Validation and Verificatio n. For inf or 
Protection Level 5 or 6, an Independent Validatioif 
conducted and funded by the cognizant site. 


Sensitive Compartmented Informati o 
processes SCI, the cognizant ISSM, 
protection documentation and t 
completed their review, they s Ad it, wr 
Intelligence and the Office^ Imnproli 




tioi^ys'^p^nntended to operate in 
mrifiction (IV&V) review must be 


a. 



tn systems located in an SCIF that 
must review the information system 
the information system. Once they have 
!ir comments, to the Office of Energy 
ration and National Security. 


ACCREDITATION . The 
operational to ensure 
information. 


►view and accredit all systems before they become 
in the confidentiality, availability, and integrity of all classified 


£ion. The DAA may grant provisional accreditation (temporary 
authoritj^to ope Ate an information system because of incomplete documentation or to 
permit a rm|fc^ronversion of the information system. Provisional accreditation may be 
granted for up to 180 days. DAA-approved protection measures must be in place and 
functioning during the period of provisional accreditation. 


b. Reaccreditation . As outlined in National Policy contained in OMB Circular A-130, 
“Management of Federal Information Resources,” and National Security 
Telecommunications and Information Systems Security Directives (NSTISSDs), each 
information system must be reaccredited every 3 years or whenever security-significant 
changes are made to the accredited information system. The ISSO/ISSM/ISOM must 
review proposed modifications to information systems to determine if the proposed 
modifications will impact the protections on the system. If the protection aspects of the 
systems environment change, if the applicable protection requirements change, or if the 
protection mechanisms implemented for the system change, the system must be 
reaccredited. 
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During the reaccreditation cycle, the DAA may choose to grant an interim accreditation for 
the system. 


c. Withdrawal of Accreditatio n. The DAA must evaluate the risks and consider withdrawal of 
accreditation if the protection measures approved for the system do not remain effective or 
whenever any of the following items change: levels of concern, protection level, technical or 
nontechnical protection measures, vulnerabilities, operational environment, operational 
concept, or interconnections. The DAA must withdraw accreditation and ensure proper 
sanitization when the system is no longer required to process classified information, or if the 
operational need for the system no longer outweighs the risk of operating the system. 


Invalidation of an Accreditati on. An accreditation becomes hp^id immediately whenever 
detrimental, security-significant changes occur to any of dd^ollowig: the required 
protection level, the operational environment, the opej^tio^^con J)t/mission, or the 
interconnections. 

Certification and Accreditation of Multiple Syste ms, 
systems are to be operated in equivalent ojae 
concern and protection level are the 
similar), the IS SO may write and the' 
information systems. The infon 
personal computers up to and winding 
networks that meet the criteria mr a M 




(1) Master Systems 
requirement 
for an infon%itT 




or more similar information 
^TFonments (e.g., the levels of 
ical security requirements are 
rove a Master ISSP to cover all such 
Covered by a Master ISSP may range from 
user information systems and local area 
er ISSP approach. 


. The Master ISSP must conform to the ISSP 
and specify the information required for each certification 
to be accredited under the plan. 


ems Certification Report fISC Rf. The ISCR must contain- 
brmation system’s identification, 

(b) the information system’s location, and 

(c) a statement signed by the ISSM certifying that the information system implements 
the requirements in the Master ISSP. 


(3) The DAA must accredit the first information system under the Master ISSP. The 
ISSM must certify that all other individual information systems to be operated under 
the Master ISSP meet the conditions of the approved Master ISSP. This certification, 
in effect, accredits the individual information systems to operate under the Master 
ISSP. A copy of each certification report must be retained with the approved copy of 
the Master ISSP. 
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(4) Recertification of Information Syste ms. All information systems certified under a 
Master ISSP remain certified until the Master ISSP is changed or 3 years have 
elapsed since the information system was certified. If either the levels of concern or 
the protection level described in the Master ISSP changes, all information systems 
certified under the Master ISSP must be recertified. 


4. DESIGNATED APPROVING AUTHORITY. 


a. Systems at Protection Level 5 or 6. Accreditation for systems at Protection Level 5 or 6 
will require the concurrence of the ISPM. 


Delegation of Approval Authori ty. The DAA may delegate 
that- 


(1) all delegations are in writing and for a specif^^tim 

(2) the DAA (or his/her delegate) and the person ce 
person. 


(3) the delegate cannot redelegate t: 

(4) the delegate is a DOE e 





val authority provided 


ot to exceed 3 years, 
the system are not the same 


thority, and 


Systems under Multiply Desri|att^Wpproving Author ities. For a system that involves 
multiple DAAs, the I^^^^^^dination with the field, must designate the DAA. Each site 
involved in the sattem rm^identify, in writing, the security officials to be responsible for 
implementing i nstem protection on the system components at the site. 



5 . 


d. Directoryf NavalJ^ctors Program . For classified information systems networks that are 
solely uMer the jurisdiction of the Director of Naval Reactors Program and whose external 
componenMlffrid into the jurisdiction of different Naval Reactor Offices, the Director of 
Naval Reactors Program must designate one of the Naval Reactor Office senior managers 
to be the DAA. Notification of the accreditation of any information system with a protection 
level of 4, 5, or 6 must be furnished to the ISPM. 

DEVIATIONS . If it is impossible or impracticable to implement the protection requirements and 
countermeasures described in this Manual, deviations (variances, waivers, or exceptions), 
including alternative protection measures, must be requested under the procedures described in 
DOE O 470.1. 
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CHAPTER VI 


VI-1 


BASELINE REQUIREMENTS 


1. INTRODUCTION . This chapter describes protection requirements common to all systems. 

2. CLEARING AND SANITIZATION. 


3. 


4. 


a. 


Clearing . All internal memory, buffer, or other reusable memory must be cleared to 
effectively deny access to previously stored information. Detailed instructions on clearing 
must be issued periodically by the ISPM. 


b. 


Sanitizatio n. Classified information systems resource^ 
released from classified information controls or reh 
level. Detailed instructions on sanitization must be 


EXAMINATION OF HARDWARE AND 
software must be examined when received 


Information Systems Softwa re, 
that it contains no obvious fea 
information system. Secu 
features function as specifie 


examin, 




e saJtized before they are 
r tl^y^ra lower classification 
odically by the ISPM. 

pTTnation systems hardware and 
and before being used. 


rocured software must be tested to ensure 
r t be detrimental to the security of the 
ware must be tested to ensure that the security 


Information Svs^ 
appears to be in gfcoc 

secure opapion o»fle information system when placed under site control and cognizance. 
Subsequmt change»nd developments that affect security may require additional 


mre. The equipment must be examined to determine that it 
dug order and has no “parts” that might be detrimental to the 


IDENTIFICATION AND AUTHENTICATION MANAGEMENT . Identification and 
authentication are required to ensure that users are associated with the proper security attributes, 
such as identity, protection level, or location. Controls, such as biometrics or smart cards, may be 
used at the discretion of the IS SO with approval of the ISSM and DAA. 


a. Identifier Managemen t. User identifiers must be managed in accordance with documented 
procedures. 

b. Authenticator Manageme nt. User authenticators must be managed in accordance with 
documented procedures. 
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c. Unique Identificatio n. Each user must be uniquely identified and that identity must be 
associated with all auditable actions taken by that individual. 

d. Authentication at Logo n. Users must be required to authenticate their identities at “logon” 
time by supplying their authenticator, such as a password, smart card, or biometrics, in 
conjunction with their user identification (ID) prior to the execution of any application or 
utility on the system. 


e. Access to Authentication Dat a. Access to authentication data must be restricted to 
authorized personnel through the use of encryption, file access controls, or both. 


f. User ID Reuse . Prior to reuse of a user ID, all previous acce^ 
accesses for that user ID) must be removed from the syst^ 

g. User ID Remova l. When an employee leaves the saprsor 
the system for cause, that individual’s user ID 
disabled from the system. 



thorizations (including file 


ization or loses access to 
n must be removed or 


User ID Revalidatio n. All active user Ufs mustT^MTalidated at least annually, and 
information such as sponsor and med^to^^f-li^ contact (e.g., phone number, mailing 
address) must be updated as ne^Mty. 

Protection of A u th e n t i c a to ^V^u th e nJL a to r in the form of knowledge (password) or 
possession (smart card, keys^au^^^Hje shared with anyone. 


j. Protection of Pa<j| |^nrH^|^hpn passwords are used as authenticators, the following must 
apply. 

(1) Pas^vords imi^be protected at a level commensurate with the classification level and 
momrestricwe classification category of the information to which they allow access. 


(2) Passwords must contain a minimum of six nonblank characters. 


(3) Passwords must be generated by a method approved by the DAA. Password 
acceptability must be based on the method of generation, the length of the password, 
and the size of the password space. The password generation method, the length of 
the password, and the size of the password space must be documented. In no case 
must a user develop his/her own password. 

(4) When an information system cannot prevent a password from being echoed (e.g., in a 
half-duplex connection), an overprint mask must be printed before the password is 
entered to conceal the typed password. 
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(5) User software, including operating system and other security-relevant software, comes 
with a few standard authenticators (e.g.. System, Test, Master) and passwords already 
enrolled in the system. Passwords for all standard authenticators must be changed 
before allowing the general user population access to the information system. These 
passwords must be changed after a new system version is installed or after other action 
is taken that might result in the restoration of these standard passwords. 

(6) If the level of concern for confidentiality is low, the lifetime of a password must not 
exceed 12 months. If the level of concern is medium or high, the lifetime of a 
password must not exceed 6 months. 


5. MAINTENANCE . Information systems are particularly vulnerab 

maintenance activities. The level of risk is a factor of the natu 

◄ 

duties, the security awareness of the employees, and the mgjfite' 
information and facilities. 


Cleared Maintenance Personn el. Personnel 
cleared to the highest classification level j 
all information processed on that systej 
diagnostics on information systems 
appropriately cleared and technh 
within the area where the mair^nance i^pc 
procedures are followed. 


b. Uncleared for Lower-' 


( 1 ) 


( 2 ) 


If appropriai 
unclea*d or 
tec. 





security threats during 
intenance person’s 
on’s access to classified 


ho perfe ct! intenance on systems must be 
jmatio^ on the system and indoctrinated for 
onnel who perform maintenance or 
escort. When possible, however, an 
able, facility employee must be present 
brmed to ensure that proper security and safety 


intenance Personnel. 


^personnel are unavailable to perform maintenance, an 
Fer-cleared person may be used, provided a fully cleared and 
kfied escort monitors and records his/her activities in a maintenance log. 


If maHMnce personnel are uncleared, system initiation and termination must be 
performed by the fully cleared and technically qualified escort. In addition, their 
keystrokes must be monitored during their access to the system. 


(3) Prior to maintenance by uncleared personnel, the information system must be 
completely cleared and all nonvolatile data storage media must be removed or 
physically disconnected and secured. When a system cannot be cleared, ISSM- 
approved procedures must be enforced to deny the uncleared individual visual and 
electronic access to any classified or sensitive data contained on the system. 


(4) A separate, unclassified copy of the operating system, including any micro-coded 
floppy disks or cassettes integral to the operating system, must be used for all 
maintenance operations performed by uncleared personnel. The copy must be labeled 
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“UNCLASSIFIED — FOR MAINTENANCE ONLY” and protected in accordance 
with documented procedures. Maintenance procedures for an information system 
using a nonremovable storage device on which the operating system is resident must be 
considered by the ISSM on a case-by-case basis. 

c. General Maintenance Requiremen ts. 


(1) The ISOM must identify the need for, and format of, a maintenance log. 


( 2 ) 


( 3 ) 


Systems maintenance must be performed on site whenever possible. Equipment 
repaired off site and intended for reintroduction into a facility may require protection 
from association with that particular facility or prograr 


If systems or system components are removed frj 
first be purged and downgraded to an approp^ 
sensitive data and declassified in accordance 
ISSO must approve the release of all swtems 


( 4 ) 




acilit^ for repair, they must 
tized of all classified and 
pproved procedures. The 
removed from the system. 


Introduction of network analyzer* 
personnel to monitor keystroked 
introduced into an informal 
by uncleared maintenance 
all classified and sens^vt 
maintenance personneF 
the system. 


that would allow maintenance 
rfrved by the DAA prior to being 
DAA must approve use of these devices 
en a system cannot be cleared or sanitized of 
ISSM must approve use of these devices by 
eared to the highest classification level processed by 


(5) If maintenaweCT^Mirrel bring into a facility diagnostic test programs (e.g., 

soft^nifirmWne used for maintenance or diagnostics), the following procedures must 
be ipiplemei, 

(a) ^MUTedia containing the programs must be checked for malicious codes before 
the media are connected to the system. 

(b) The media must remain within the facility and must be stored and controlled at 
the level of the information system. 


(c) Prior to entering the facility, maintenance personnel must be advised that they will 
not be allowed to remove media from the facility. 


(d) If this procedure cannot be followed because of special circumstances, the 

following must occur each time the diagnostic test media are introduced into a 
facility. 
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1 The media must undergo stringent integrity checks (e.g., virus scanning, 
checksum, etc.) prior to being used on the information system. 

2 Before leaving the facility, the media must be checked to ensure that no 
classified information has been written on the media. 

3 The DAA must approve the revised procedure. 


(6) All diagnostic equipment and other devices carried into a facility by maintenance 
personnel must be handled as follows. 


(a) 


(b) 


Systems and system components being brought i^ 
for improper modification. 


Before being released, maintenance equ 
must be appropriately sanitized by proc 
equipment cannot be sanitized, the equipmi 
destroyed, or be released underjpi^fcdures 


(c) 


(d) 




facility must be inspected 


retaining information 
y the ISPM. If the 
t remain within the facility, be 
"roved by the DAA. 


Replacement components 
components; howeve 
remain in the facilit 
component not 
provided thecom 
approved p 1 


into the facility to swap with facility 
placed into an information system must 
procedures are completed. Any 
ormation system may be released from the facility 
under control of a trained escort or reviewed under 


CommWuc^^iiJevices with transmit capability (e.g., pagers, RF LAN 

lectwiB, etc.) belonging to the maintenance personnel or any data storage 
"media nowequired for the maintenance visit must remain outside the system 
Lfacilitjand be returned to the maintenance personnel when they leave the facility. 


(7) Maintenance changes that affect the security of the system must receive a configuration 
management review. 


(8) After maintenance has been performed, the security features on the information 

systems must be checked and documented to ensure they are still functioning properly. 


d. Remote Maintenance. 


(1) Remote diagnostic maintenance service may be provided by a service or organization 
that does provide the same level and category(ies) of security. The communications 
links connecting the components of the systems, associated data communications, and 
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networks must be protected in accordance with national policies and procedures 
applicable to the sensitivity level of the data being transmitted. 

(2) If remote diagnostic or maintenance services are required from an organization that 
does not provide the same level of security required for the system being maintained, 
the following procedures must be implemented. 


(a) The information system must be sanitized and in a stand-alone mode prior to 
connection of the remote-access line. 

(b) If the system cannot be sanitized (e.g., due to a system crash), remote diagnostic 
and maintenance services must not be allowed. 


(c) The IS SO must initiate and terminate the repot 


(d) Keystrokes must be monitored on all renfcjn^fiagimstic or maintenance services. 
Before beginning remote diagnostjcs/main^ ^g^ e activities, maintenance 
technicians performing these acim*es musLbeadvised (contractually, verbally, 
by banner, etc.) that kcwstrokymooiul^a almost be performed. 



(e) A technically qualify 
detection of unautb 



view the maintenance log to ensure the 


(f) Maintenance pers(»enBWssing the information systems at the remote site must 
be cleared raK^Wg^^t level of information processed on that system prior to 
saniti^tirm. 

(g) Ji*cedr^pfor installing and using remote diagnostic links must be approved by 
TheEb 


(h) '^■iPSit log of all remote maintenance, diagnostic, and service transactions must 
be maintained and periodically reviewed. This review must be documented. 


(i) Other techniques to consider include encryption and decryption of diagnostic 

communications, strong identification and authentication techniques (e.g., tokens), 
and remote disconnect verification. 


(3) System maintenance requirements and vulnerabilities must be addressed during all 
phases of the system life cycle. Specifically, contract negotiations must consider the 
security implications of system maintenance. 

6. MALICIOUS CODE. 
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a. Site Policie s. Policies and procedures to detect and deter incidents caused by malicious 
code, such as viruses or unauthorized modification to software, must be implemented. 

b. Personal Software . The use of software purchased or developed by an individual for 
personal use is discouraged. If such software is required or desired to enhance the 
information system operation, each installation of the software must be approved in 
accordance with site policies. 


c. Public Domain Softwar e. The use of public domain software is strongly discouraged. If 
such software is required or needed to enhance system operation, procedures must be 
implemented to carefully examine this software for malicious code before it is introduced into 
the information system environment. 


7. MARKING HARDWARE. OUTPUT. AND MEDIA . Mar 
media must conform to instructions issued by the ISPM 
interferes with operation of the media, the DAA may ap 
alternate marking procedures must be documente 


a. Hardware Component s. Procedures 
an information system, including mp" 
microprocessors, or word proce: 
that states the highest classific 
information accessible to tl^ c 
accomplished using perman 
labels generated by ttif" 


b. Hard-Copy Outp 
The accredit on 


copy ou 
classific' 






are, output, and 
marking is impractical or 
ite marking procedures. The 


ted to ensure that all components of 
ices, terminals, stand-alone 
inals, bear a conspicuous, external label 
most restrictive classification category of the 
'in the information system. This labeling may be 
|s on the component, a sign placed on the terminal, or 
system and displayed on the screen. 


y output includes paper, fiche, film, and other printed media, 
of the accredited information system must be marked on all hard- 
ained in, or distributed from, the facility unless an appropriate 
w has been conducted or the information has been generated by a tested 
program v^^RTto produce consistent results and approved by the DAA. Such programs 
will be tested on a statistical basis to ensure continuing performance. Once hard copy has 
been reviewed by an authorized classifier, it must be marked in accordance with DOE M 
471.2-1B, CLASSIFIED MATTER PROTECTION AND CONTROL MANUAL. 


c. Removable Medi a. Procedures must be implemented to ensure that personnel handling 
removable media apply visible, human-readable, external markings to the media. 
Removable media must be marked with the accreditation level of the information system 
unless an appropriate classification review has been conducted, or the information on the 
media has been generated by a tested program or methodology verified to produce 
consistent results and approved by the DAA. 
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d. Unclassified Medi a. In facilities where some of the information systems are operated as 
classified and some are dedicated to unclassified operation, removable unclassified media 
must be uniquely marked to prevent them from being mixed with classified media. 


8. PERSONNEL SECURITY . Personnel with system access play an integral role in protecting 
information, defining their system security policies, and maintaining and monitoring the 
confidentiality, integrity, and availability attributes that are inherent within their information systems. 
Personnel directly involved with a system may be users, operators, administrators. 

Communications Security (COMSEC) custodians, and installers/maintainers. Duties, 
responsibilities, privileges, and specific limitations of information systems users, both general and 
privileged, must be specified in writing. So far as feasible, security duties must be distributed to 
preclude any one individual from adversely affecting operations oj^j^integrity of the system. 


a. 


Access Approvals . Individuals requiring access to cla^ifU 
for access authorization in accordance with DOE 
ACTIVITIES. 


( 1 ) 


For systems that process classified i 
individuals must be cleared to thi 
system. For Protection Level 4 } 
the information to which f 


( 2 ) 


For Protection Level 
access approvals 
6 systems, indiv 
they are allotted ad 




tion must be processed 
NNEL SECURITY 


Fotection Level 1, 2, or 3, 
classification processed on that 
s, individuals need only be cleared for 
access. 


' the individuals must have all required formal 
ion on the systems. For Protection Level 3, 4, 5, or 
rmal access approval for only that information to which 


b. General U 


( 1 ) 



1 acc^^ 


must- 


access only the data, control information, and software for which they are 
authorized access and have a need-to-know; 


(b) immediately report all security incidents and potential threats and vulnerabilities 
involving the information system to the appropriate IS SO; 

(c) protect their authenticators and report any compromise or suspected 
compromise of an authenticator to the appropriate IS SO; 

(d) ensure that system media and system output are properly classified, marked, 
controlled, and stored; 
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(e) protect terminals from unauthorized access; 

(f) inform the ISSO when access to a particular information system is no longer 
required (e.g., completion of a project, transfer, retirement, resignation); 

(g) observe rules and regulations governing the secure operation and authorized use 
of information systems; and 

(h) use the information system only for official Government business. 


(2) General users must not attempt to- 


(a) introduce malicious code into any information 
system; 

(b) bypass, strain, or test security mechanisl 
bypassed for any reason, users mu^t coords 
and receive written permission 
or regular bypass of secu ri tyJned\& n H fctsJ TTn st 



hysically damage the 


sec 


,ty mechanisms must be 
procedure with the ISSO 
or the procedure); any ongoing 
be approved by the DAA; 


c. 


(c) introduce or use unau^BIzecf^ft^ffe, firmware, or hardware on an information 
system; 

(d) assume the roles^^^^^W§es of others and attempt to gain access to 
informatio^^^Ull^phey have no authorization; and 

^iMlron svstc 


(e) reloca 
Privileg^^^r s. 





system equipment without proper authorization. 


(1) The nHydf of privileged users must be limited to the absolute minimum number 
needed to manage the system. 


(2) Examples of privileged users (for multi-user systems) include- 


(a) users with “super-user,” “root,” or equivalent access to a system (i.e., system 
administrators, computer operators, perhaps system security officers, etc.); 

(b) those individuals with near or complete control of the operating system of the 
machine or information system or who set up and administer user accounts, 
authenticators, and the like; 
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(c) users with access to change control parameters (e.g., routing tables, path 
priorities, addresses) on routers, multiplexors, and other key information system 
equipment; 

(d) users given the capability to control and change other users’ access to data or 
program files (i.e., applications software administrators, administrators of 
specialty file systems, database managers, etc.); and 


(e) users given special access for troubleshooting information systems/security 

monitoring functions (i.e., those using information system analyzers, management 
tools, etc.). 


( 3 ) 

( 4 ) 


(d) protect the root or 
and not sha 




All privileged users must be responsible for all the rj 
users. 


Privileged users must- 

(a) be U.S. citizens unless otherwij 

(b) possess access approvals t 

(c) possess a clearance e 
maintained by the imormatio 


s as stated for general 


riting by the DAA, 
on the system, 
st classification of data processed on or 


authenticator at the highest level of data it secures 
ticator and/or account. 


^all super-user or root actions under his/her account, 
nd all information system problems to the ISSO, and 
'rial access or privileges granted only to perform authorized tasks and 


(5) Privileged users must not- 


(a) enroll any unauthorized user on an information system or 

(b) use special access or privileges to perform unauthorized tasks or functions. 


9. PHYSICAL SECURITY. 


a. Protection . The information and system must be located in a security area appropriate to 
the classification and sensitivity of the data. 
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b. Visual Access . Devices that display or output information in human-readable form must be 
positioned to deter unauthorized individuals from reading the information without the 
knowledge of the user. 

c. Information Protectio n. Information must be protected in accordance with DOE 5632.1C- 
1, MANUAL FOR PROTECTION AND CONTROL OF SAFEGUARDS AND 
SECURITY INTERESTS, Chapter III, Paragraph 3. 


d. Unescorted Access . All personnel granted unescorted physical access to the system must 
have an appropriate security clearance and a need-to-know or a presumptive need-to- 
know for all information on the information system. 


10. PROTECTION OF MEDIA. 


a. 


Media Protection . Media must be protected by at la^Bt or 
following until the media have been reviewed follofcio^t Di. 


Tmbination) of the 
-approved procedure: 


(1) storage in an area approved for operate 
of the information system; 


formation at the accreditation level 


(2) storage in an area not appfo i^aen^T)rage of information at the accreditation 

level of the information sKtem wfJemTntinuously attended, if the area is continuously 
attended by appropriate p®feonnelJ 


iropna^pe^^ 

(3) Type 1 encryptim^^H*^^ata; 

(4) GSA-Appr^^^|^^r Con 


or 


[ii^emova 


Container. 


b. Remov^fle Media. Removable media must be controlled and protected in a manner 
consistei^with tbit used for classified matter. 

11. REVIEW OF OUTPUT. 


a. Human-Readable Output Revie w. An appropriate sensitivity and classification review must 
be performed on human-readable output before the output is released outside the system 
boundary to determine whether it is accurately marked with the appropriate classification 
and applicable associated security markings. 

b. Media Review . Electronic output, such as files, to be released outside the security boundary 
must be verified by a comprehensive review (in human-readable form) of all data on the 
media including embedded text (e.g., headers and footers) before being released. 
Information on media that are not in human-readable form (e.g., embedded graphs, sound, 
video, etc.) will be examined for content using the appropriate software application. 
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Random or representative sampling techniques may be used to verify the proper marking of 
large volumes of output. The media sampling procedures must be defined and documented. 
DAA-approved automated techniques may be used to verify the proper marking of output. 

12. WASTE. FRAUD. AND ABUSE PROTECTION . Management controls established to 

address waste, fraud, and abuse of Government property and resources must be documented. 
Waste, fraud, and abuse must be reported in accordance with DOE 2030.4B, REPORTING 
FRAUD, WASTE, AND ABUSE TO THE OFFICE OF INSPECTOR GENERAL. 
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CHAPTER VII 
GRADED REQUIREMENTS 


INTRODUCTION . Each section of this chapter describes implementation requirements for a 
different protection measure. 

ALTERNATE POWER SOURCE f APSE An alternate power source ensures that the system 
availability is maintained if primary power is lost. An APS can also provide time for orderly 
system shutdown or the transfer of system operations to another system or power source. 

a. APS-1 Requiremen t. The decision not to use an alternate^uurceokpower, such as an 
uninterruptible power supply for the system, must be focmkgnted .M 

b. APS-2 Requirement s. Instead of APS-1, procedum^o^he saaceful shutdown of the 

system must ensure no loss of data. f 


APS-3 Requirement s. Instead of APS^fproceOT^s^ror transfer of the system to another 
power source must ensure that the trdfcei^compfeted within the time requirements of the 
application(s) on the system. 


Profile Requiremen ts. 

r <5 

AlternaiFPower Surce 


o 


* Availability Level of Concern 

Low 

Medium 

High 

APS-1 

APS-2 

APS-3 


AUDIT C AP^ f' 1TDT Security auditing involves recognizing, recording, storing, and 

analyzing information related to security-relevant activities. The audit records can be used to 
determine which activities occurred and which user was responsible for them. 


AUD-1 Requirements. 


(1) Automated Audit Trail Creatio n. The system must automatically create and maintain 
an audit trail or log. If the operating system cannot provide an automated audit 
capability, an alternative method of accountability for user activities on the system must 
be developed and documented. Audit records must be created to record the 
following: 


(a) successful and unsuccessful logons and logoffs; 
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(b) successful and unsuccessful accesses to security-relevant files, including creating, 
opening, closing, modifying, and deleting the files; 

(c) changes in user authenticators; 

(d) blocking or blacklisting a user ID, terminal, or access port and the reason for the 
action; and 

(e) denial of access resulting from an excessive number of unsuccessful logon 
attempts. 


(2) Audit Trail Protectio n. The contents of audit trails mus 
unauthorized access, modification, or deletion. 

(3) Audit Trail Analys is. Audit analysis and repo, 

(On Protection Level 1, 2, and 3 systems onl; 
documented. Results of the review must be 


(4) Audit Record Retentio n. Audit rjyrdsjnt r etained for at least 6 months. 

: retirements stated in AUD-1, AUD-2 includes 




rotected against 


eduled and performed, 
cy of the review must be 


b. AUD-2 Requirement s. In add it] 
the following requirements. 

(1) Audit Trail Content s. 


ail must include records of- 


(a) privil 
other 


ties at the system console (either physical or logical consoles) and 
^accesses by privileged users and 


(b)f startinga^l ending times for each access to the system. 

(2) Audi^mlP e. Procedures must be implemented to ensure alternate audit capability or 
system shutdown in the event of audit failure. 


c. AUD-3 Requirement s. In addition to those requirements stated in AUD-2, AUD-3 
includes the following requirements. 


(1) Automated Audit Analys is. Audit analysis and reporting using automated tools must 
be scheduled and performed. 

(2) Security Label Change s. The system must automatically record the creation, deletion, 
or changes in security labels. 
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d. AUD-4 Requirement s. In addition to those requirements stated in AUD-3, AUD-4 
includes the following requirement. 

Continuous Monitorin g. Auditing must include the continuous, online monitoring of auditable 
events. The system must notify an authorized person when imminent violations of security 
policies are detected. 

e. AUD-5 Requirement s. In addition to those requirements stated in AUD-4, AUD-5 includes 
the following requirement. 


Intrusion Detection and Monitori ng. The security posture of the system must be tested at 
least monthly by employing various intrusion/attack detectio^^[ monitoring tools. 

f. Profile Requiremen ts. 




C onf idenmn^ 

‘ro^hion Level 


Requirements 

1 


r 4 

5 

6 

Audit Capability 

AUD-1 


AUD-4 

AUD-4 

AUD-5 


Requirements 


Audit Capability 


4. BACKUP AND REST 
necessary to ej^^that 
backup inven| 
process is wo 




.ow 


Integrity Level of Concern 
Medium 


High 


AUD-1 


AUD-2 


AUD-4 


OF DATA IBRD) . The regular backup of information is 
have continuing access to the information. Periodic checking of 
g of the ability to restore information validates that the overall backup 


a. BRD-1 Requirement s. 


(1) Backup Procedures . Procedures for the regular backup of all essential and security¬ 
relevant information, including software tables and settings (e.g., router tables, 
software, and documentation), must be documented. 

(2) Backup Frequency . The frequency of backups must be defined, with the assistance of 
the data custodian(s), and documented in the backup procedures. 

b. BRD-2 Requirement s. In addition to those requirements stated in BRD-1, BRD-2 includes 
the following requirements. 
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(1) Backup Media Storage . Media containing backup files and backup documentation 
must be stored at another location, such as another part of the same building, a nearby 
building, or off site, to reduce the possibility that a common occurrence could eliminate 
the on-site backup data and the off-site backup data. 

(2) Verification of Backup Procedure s. Backup procedures must be verified periodically 
by confirming that the date of last backup is consistent with the backup procedures. 

c. BRD-3 Requirement s. In addition to those requirements stated in BRD-2, BRD-3 includes 
the following requirement. 


Information Restoration Testi ng. Complete restoration of infomation from backup media 
must be tested periodically. The frequency of restorationj^ting r%ist be defined and 
documented in the backup procedures. a 

d. Profile Requiremen ts. 



Requirements A 


toity Level of Cc 

Medium 

incern 

High 

Backup and Restoration of 


BRD-2 

BRD-3 

. 1 1 

KSi 

w - 

Integ] 

Low 

rity Level of Con 

Medium 

cern 

High 

| Backup and Res^at^^^|j5ata 

BRD-I 

BRD-2 

BRD-3 


5. 


CHANGES if 

l DATA# 

pfe). The control of changes to data includes deterring, detecting, and 

reporting suc<S 


1 unsuccessful attempts to change data. Control of changes to data may 


range from simply “detecting a change attempt to the ability to ensure that only authorized changes 
are allowed. 


a. CD-I Requiremen t. 

Change Procedures . Procedures and technical system features to ensure that changes to the 
data are executed only by authorized personnel or processes must be documented. 

b. CD-2 Requirement s. In addition to those requirements stated in CD-I, CD-2 includes the 
following requirement. 
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Transaction Log . A transaction log, protected from unauthorized changes, must be available 
to allow immediate correction of unauthorized data changes and off-line verification of all 
changes at all times. 


c. Profile Requiremen ts. 


Requirements 

Integ 

Low 

rity Level of Con 

Medium 

cern 

High 

Changes to Data 

CD-I 

CD-I 

CD-2 


6. COMMUNICATIONS (COME Information protection is requij^^^taaever classified 
information is to be transmitted, carried to, or carried through *as or cBnponents where 
individuals not authorized to have access to the informatir^^ha^n^eunescorted physical or 
uncontrolled electronic access to the information or coqmunj^tion^media (e.g., outside the 
system perimeter). 


a. COM-1 Requirements . 

Protections. One or more of the f 


(a) information distributed o 
information, 



tions must be used: 
an area approved for open storage of the 


(b) National Security^jenc^wSA)-approved encryption mechanisms appropriate for 
the encrypt^^^la^|£ied information, 

rotecte^Tra nsm i ss i on System, and 

^^couner. 

b. COM-2 Requirements . In addition to those requirements stated in COM-1, COM-2 
includes the following requirements. 



(1) Public Switched Network s. Any classified system connected to a public switched 
network (e.g., Internet) or an internal network that is not accredited at the same level 
must use a controlled interface that meets the requirements in Chapter VIII and 
performs the following. 


(a) Review Before Releas e. Unclassified communication from the inside must be 
reviewed for classification before being released. 
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(b) Encryption of Message Bod y. The body of classified communications from the 
inside must be encrypted with NSA-approved encryption mechanisms 
appropriate for the classification of the information for encryption of stored data. 

(c) Notification of Recipie nt. Communication from the outside must have an inside 
sponsor (i.e., the controlled interface will notify the sponsor of the communication 
and release the communication on notification from the sponsor). 

(d) Review of Outside Communicatio ns. Communication from the outside must be 
reviewed for viruses and other malicious code. 


(e) End-to-End Integrity . Integrity attributes adequate to ensure the end-to-end 

integrity of transmitted information (including lajrel^Sy security parameters) must 
be included with all information transmitted .e^cnally t«a system or network. 


c. Profile Requiremen ts. 


Requirements 

Cmil? 

1 

IV 

™tection 

4 

Level 

5 

6 

C ommunications 


^OM-1 

COM-2 

COM-1 

COM-1 


NOTE: DOE will not apprdl^he 

Public Switched Netwra 


of Protection Level 5 or Protection Level 6 systems to 


Requirenfe&s 

^ _ 

Integrity Level of Concern 



Low 

Medium 


High 

Comm^dcationsj ▼ 

COM-1 

COM-1 

COM-2 


7. CONFIGURATION MANAGEMENT . Configuration management (CM) ensures that 
protection features are implemented and maintained in the system. CM applies a level of 
discipline and control to the processes of system maintenance and modification. CM provides 
system users with a measure of assurance that the implemented system represents the approved 
system. 


a. CM-1 Requirement s. 

(1) Configuration Documentati on. Procedures must be implemented to identify and 
document the type, model, and brand of system or network component (e.g., a 
workstation, personal computer, or router), security-relevant software product names 
and version or release numbers, and physical location. 
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(2) System Connectivit y. Procedures must be implemented to identify and document 

system connectivity, including any software used for wireless communication, and any 
communications media. 


(3) Review of Security-Relevant Chang es. All modifications to security-relevant resources 
(including software, firmware, hardware, or interfaces and inter-connections to 
networks) must be reviewed and approved in accordance with procedures prior to 
implementation. All security-relevant modifications must be subject to the provisions 
of the system configuration management program. The ISSM must notify the DAA of 
requests for changes to the resources that deviate from the requirements of the 
approved ISSP. The DAA must consider the system for reaccreditation. 


b. 


CM-2 Requirement s. In addition to those requirements str 
following requirements. 

(1) Connection Sensitivi ty. The sensitivity leve 
the SSS must be documented. 



■1, CM-2 includes the 


tion or port controlled by 


(2) CM Plan . The CM plan must be da^umeifcd ayrfrmust include- 

(a) formal change control impe^^s fm^Pecurity-relevant hardware and software; 

(b) procedures for manAement m all documentation, such as the ISSP and security 
test plans, used t^bTsl^^^em security; and 

(c) workable p r ol^sestOTm p 1 e m e n t, periodically test, and verify the CM plan. 

c. CM-3 Remnremel^ dTn Edition to those requirements stated in CM-2, CM-3 includes the 
fo 11 o w i nq u i re m» ts. 


(1) Cl 


addition to the requirements of the CM plan in CM-2, the CM plan must 


include- 


(a) a CM control board that implements procedures to ensure the security review 
and approval of changes that affect the SSS and 

(b) a verification process to provide additional assurance that the CM process is 
working effectively and that changes outside the CM process are technically or 
procedurally not permitted. 

d. Profile Requiremen ts. 
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Requirements 

1 

Confid< 

2 

mtiality 1 

3 

> rotection 

4 

Level 

5 

6 

Configuration Management 

CM-1 

CM-1 

CM-2 

CM-3 

CM-3 

CM-3 


Requirements 

Integr 

Low 

ity Level of Concern 

Medium High 

Configuration Management 

CM-1 

CM-2 

CM-3 j 


8. DISASTER RECOVERY PLANNING (DRP ). 


a. DRP-1 Requirement s. 


(1) Mission Essentia l. The system’s mission-ess^ 


( 2 ) 


Plan Decision . The manager or 
determine the need for continuit; 
information system. This decisi^ 
supervisor. A statement of 
documented in the ISSP. m ; nt: 
needed, the ISSP mus^go^ate. 


( 3 ) 




itions must be identified. 


|direc^ responsible for the system must 
ratny^ develop a contingency plan for each 
locumented and signed by the manager or 
the basis for that decision must be 
’ of operations plan or contingency plan is not 


Procedures . DoSKe!wih(^>cedures for the backup of all essential information, 
software, auaklocum^utation must be implemented on a regular basis. The backup 
procedures mus^^^fached to or referenced in an attachment to the ISSP. The 
freqiMl*^ of B^kups must be defined by the ISSO, with the assistance of the data 
cu*>dian(s)-a*l documented in the backup procedures. 


(4) Plan 


mts. The elements of a disaster recovery plan defined in MA-365, 


“Disaster Recovery Program Guideline,” dated July 1991, must be addressed in the 
plan(s). 


b. DRP-2 Requirement s. In addition to those requirements stated in DRP-1, DRP-2 includes 
the following requirement. 


Verification of Procedure s. Backup procedures must be verified periodically by confirming 
that the date of last backup is consistent with the backup procedures. The frequency of 
verification must be defined by the ISSO, with the assistance of the data custodian(s), and 
documented in the backup procedures. 
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c. DRP-3 Requirement s. In addition to those requirements stated in DRP-2, DRP-3 includes 
the following requirement. 

Testing of the Disaster Recovery Progra m. A testing plan must be developed that addresses 
the criteria for evaluating the test results and the schedule for performing the tests. 


d. Profile Requiremen ts. 



Availability Level of Concern 

Requirements 

Low 

Medium 

High 

Disaster Recovery Planning 

DRP-1 


DRP-3 


9. INDEPENDENT VALIDATION AND VERIFICATIOI 

a. IVV-1 Requirement s. 

(1) IV&V Team . An IV&V team, h^^OT^^^^^ith the ISSM, must- 

(a) assist in the design pl^E^if th^^^m, 

(b) assist in determoping the certification test requirements, 

(c) assist in thee^mcSlBi testing, and 

(d) evalua ^Slrrity of the implemented system. 



(2) IVgy Roqu# styThe ISSM must forward the request for an IV&V team through the 
DMmoth^sPM. The request must identify funding sources for the IV&V team. 

b. IVV-2 Requirement s. In addition to those requirements stated in IVV-1, IVV-2 includes 
the following requirement. 

Annual Evaluatio n. On an annual basis, the IV&V team must evaluate the security of the 
implemented system. 


c. Profile Requiremen ts. 




Confidentiality Protection Level 


Requirements 

1 

2 

3 

4 

5 

6 

Independent Validation 
and Verification 




IVV-1 

IVV-1 

IVV-2 
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10. RESOURCE ACCESS CONTROLS TRACE Information systems must store and preserve the 
integrity of the sensitivity of all information internal to the information system. 

a. RAC-1 Requirement s. Discretionary access controls must be provided. 

b. RAC-2 Requirement s. In addition to those requirements stated in RAC-1, RAC-2 includes 
the following requirements. 


c. 


(1) Security Label s. The information system must place electronic security labels on all 
entities (e.g., files) reflecting the sensitivity (classification level, classification category, 
and handling caveats) of the information for resources and the authorizations (access 
authorizations, need-to-know, formal access approvals) for u sers. These labels must 
be an integral part of the electronic data or media and^mis^^compared to the user or 
resource profile and validated before a user or res^u^^is graced access to the entity. 

(2) Export of Security Labe ls. Security labels er^^rtt^^rom^^information system must 
accurately represent the corresponding securit^^els^n the information in the 
originating information system. ^ 


(3) Security Label Integri ty. The i 




m must ensure the following: 


(a) integrity of the secuj*y labels, 

(b) association of a^^Ato^ laba^vith the transmitted data, and 

(c) enforcemei4^W|^^*rol features of the security labels. 

ition to those requirements stated in RAC-2, RAC-3 includes 


(1) De| 


’he information system must ensure that the originating and destination 
are a part of each message header and that they enforce the control 

t t KnU irnnn rxr! Ovn nnrl rlorfimtinn 


dit: d pan ui cacn menage neauei anu nidi uiey 
features of the data flow between originator and destination. 


(2) Mandatory Access Control s. Mandatory access controls must be provided. 


d. Profile Requiremen ts. 


Requirements 

1 

Confic 

2 

entiality I 

3 

•rotection 

4 

Level 

5 

6 

Resource Access Controls 


RAC-f 

RAC-2 

RAC-3 

RAC-3 

RAC-3 
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11. RESOURCE UTILIZATION TRU E 


a. RU-1 Requiremen t. 


Resource Reallocatio n. The system must ensure that resources contain no residual 
data before being assigned, allocated, or reallocated. 

b. RU-2 Requiremen t. In addition to those requirements stated in RU-1, RU-2 includes the 
following requirement. 

Resource Allocatio n. The SSS must provide the capability to control a defined set of 
system resources (e.g., memory, disk space) such that no one use r can deny another user 
access to the resources. 

c. Profile Requiremen ts. 


Requirements 


Resource Utilization 


12. SESSION CONTROLS (SC) . Sess 
and authentication, for controlli: 

a. SC-1 Requirement s. 


( 1 ) 




|s are requirements, over and above identification 
iment of a user’s session. 


authorized information system users must be notified prior to 
gaimprg'acces»o a system that system usage is monitored, recorded, and subject to 
au(«t. The igemnust also be advised that, by using the system, he/she has granted 
rnn^pt to a#rh monitoring and recording. The user must also be advised that 
unauthonzed use is prohibited and subject to criminal and civil penalties. If the 
operating system permits, each initial screen (displayed before user logon) must contain 
a warning text to the user, who must be required to take positive action to remove the 
notice from the screen (monitoring and recording, such as collection and analysis of 
audit trail information, must be performed). 


The following is a suggested warning text to the user. 


WARNING: To protect the system from unauthorized use and to ensure 
that the system is functioning properly, activities on this system are 
monitored and recorded and subject to audit. Use of this system is 
expressed consent to such monitoring and recording. Any unauthorized 
access or use of this system is prohibited and could subject the user to 
criminal and civil penalties. 
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If an “initial screen” warning notice cannot be provided, other methods of notification 
must be developed and submitted for DAA approval. 

(2) Successive Logon Attempt s. If the operating system provides the capability, 
successive logon attempts must be controlled as follows: 


(a) by denying access after multiple (maximum of five) consecutive unsuccessful 
attempts on the same user ID; 

(b) by limiting the number of access attempts in a specified time period, 


( 3 ) 


(c) by use of a time-delay control system, and 

(d) by other such methods, subject to approval by lieDAA? 


System Entry . The system must grant entry 
associated with the authenticated user’s profile? 
defined, the default must prohibit all ri 
anonymous file access. 


b. SC-2 Requirement s. In addition 
following requirements. 


( 1 ) 




nee with the conditions 
no^Fplicit entry conditions are 
, such as remote logons and 


ents stated in SC-1, SC-2 includes the 


Multiple Logon Contra ^j^^^dbrmation system supports multiple logon sessions for 
each user ID or afcijj^^^^information system must provide a protected capability to 
control the numbe^tflogon sessions for each user ID, account, or specific port of 
entry. The ^^^Bath^&ystem default must be a single logon session. 


( 2 ) 



hactivit % The information system must detect an interval of user inactivity, such 
as n keyboMrrartries, and must disable any future user activity until the user re- 
estaB|yj^nie correct identity with a valid authenticator. The inactivity time period 
and restart requirements must be documented. 


(3) Logon Notificatio n. If the operating system provides the capability, the user must be 
notified upon successful logon of- 


the date and time of the user’s last logon. 


the location of the user (as can best be determined) at last logon, and 


the number of unsuccessful logon attempts using this user ID since the last 
successful logon. 
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This notice must require positive action by the user to remove the notice from the 
screen. 


c. SC-3 Requiremen t. In addition to those requirements stated in SC-2, SC-3 includes the 
following requirement, which must include security level changes. 

Security Level Change s. The information system must immediately notify the user of each 
change in the security level or compartment associated with that user during an interactive 
session. A user must be able to query the information system as desired for a display of the 
user’s complete sensitivity label. 

d. Profile Requiremen ts. 




C onf identialit^'iS^gtion 

Mvel 


Requirements 

1 

2 

S/s 

5 

6 

Session Controls 

SC-1 

SC-2 ^ 

SC-2^^^^-3 

SC-3 

SC-3 


13. SECURITY DOCUMENTATION (SD) . 
security features, design descriptions of sec’ 
packages, and system security plans 
the basic system protection docume 
existing system, meets the prate 1 
certification and approval 
the system and its environm! 
inspections of the sys 
contained in other doc 


a. 






utation includes all descriptions of the 
nt software and hardware, certification 
Information Systems Security Plan (ISSP) is 
ence that the proposed system, or update to an 
'equirements. The ISSP is used throughout the 
serves for the lifetime of the system as the formal record of 
ived for operation. The ISSP also serves as the basis for 
tion common to several systems at a site or information 
y be attached to or referenced in the ISSP. 


(1) ISSP. ntedSSP must contain the following, 
(a) System Identificatio n. 


1 Security Personne l. The name, location, and phone number of the system 
owner, DAA, ISSM, and ISSO. 

2 Description . A brief narrative description of the system or network mission 
or purpose and architecture, including subnetworks, communications 
devices, and protocols. 


(b) System Requirements Specificati on. 
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1 Sensitivity or Classification Levels of Informa tion. The sensitivity or 
classification levels and categories of all information on the system. 

2 Levels of Concern for Confidentiality, Integrity, and Availab ility. The 
confidentiality level of concern and protection level, the integrity level of 
concern, and the availability level of concern. 


(c) 


3 Variances from the Protection Profile Requireme nts. A description of any 
approved variances from the protection profile. A copy of the approval 
documentation must be attached to the ISSP. 

System-Specific Risks and Vulnerabilit ies. A description of the risk assessment 
of any threats or vulnerabilities unique to the system. If no threats or 
vulnerabilities unique to the site or system exist^JjjM^ription must so state. If 
any vulnerabilities are identified by the assessiwit of umoue threats, the 
countermeasures implemented to mitigate Jj0 vun^&rabjj^ies must be described. 


(d) 


(e) 


System Configuratio n. A brief descripti 
block diagram of the componentsThat sho 
components and any connections tether s 



the ^tem architecture, including a 
terconnections between the 
terns. 



rted^JEtworks and System s. If connections to 
f understanding is necessary if the systems 


Connections to SeparatelVmcc 
other systems exist, aj^Hftor^gu 

are approved by a p«son otho: tmn the DAA responsible for this system. A 
copy of any mei^ra^a of understanding with other agencies must be attached 
to the ISSP. 


(f) Security Sup 
interfi 



Structur e. An overview of the SSS including all controlled 
nfcerconnection criteria, and security requirements. 


(g) ^ ^vstem Implementation of Requireme nts. A brief description of how the system 
implenum each of the baseline and protection requirements. 

(h) Hfffpliance Statement s. Statements of compliance that TEMPEST, Protected 
Transmission System (PTS), Technical Surveillance Countermeasures (TSCM), 
and other security requirements have been met. 


b. SD-2 Requiremen t. In addition to those requirements stated in SD-1, SD-2 includes the 
following requirement. 


IV&V Report . A report from the IV&V team. 
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c. Profile Requiremen ts. 


Requirements 

1 

Confi( 

2 

lentiality I 

3 

’rotection 

4 

Level 

5 

6 

Security Documentation 

SD-1 

SD-1 

SD-1 

SD-2 

SD-2 

SD-2 


14. SEPARATION OF FUNCTIONS fSFY 


a. SF-1 Requiremen t. 


Separation of Function s. The functions of the ISSO and the system manager must not be 
performed by the same person. 

b. Profile Requiremen ts. 





C onfidentiantl 

a . m 

M^^ction Level 


Requirements 

PL 1 


r 

PL 4 

PL 5 

PL 6 

Separation of Functions 



SF-1 

SF-1 

SF-1 


15. SYSTEM RECOVERY ISRl . SystAi recovMy'Sodresses the functions that respond to failures 
in the SSS or interruptions in op%K.at ^L Re yvery actions ensure that the SSS is returned to a 
condition in which all securltv-rel^LiT^mmctions are operational or system operation is suspended. 


SR-1 Requirem 

Controllei 
ensure 1 
during r 
the ISSO 



Procedures and information system features must be implemented to 
system recovery is controlled. If any off-normal conditions arise 
e information system must be accessible only via terminals monitored by 
er designee, or via the information system console. 


SR-2 Requiremen t- 


Trusted Recovery . Procedures and technical system features must be implemented to 
ensure that system recovery occurs in a trusted and secure manner. Procedures to mitigate 
all information system recovery circumstances where the restoration of protection features 
cannot be ensured must be implemented and documented. 
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c. Profile Requiremen ts. 


Requirements 

1 

Confi 

2 

dentiality ] 

3 

J rotection: 

4 

L,evel 

5 

6 

System Recovery 

SR-1 

SR-1 

SR-1 

SR-2 

SR-2 

SR-2 


16. SECURITY SUPPORT STRUCTURE fSSS i. The SSS consists of those components of a 

system (hardware, software, firmware, and communications) essential to maintaining the security 
policy(ies) of the system. 


a. SSS-1 Requiremen t- 

Access to Protection Function s. Access to hardware 
systems or security functions must be limited to a; 


b. 


c. 


SSS-2 Requirement s. In addition to those r^iiremen 
the following requirements. 




irmware that perform 
nel. 

ed in SSS-1, SSS-2 includes 


(1) SSS Protection Documentatio n. rotations and provisions, including 

identification of all contrdfeu mterSb^^heir interconnection criteria, and security 
requirements, of the SSS *ust be cflicumented. 


(2) Informal Descri 
model enforced 


(3) Periodic Val 
opec^^ffi of 





cv Mod el. An informal description of the security policy 
ust be documented. 


►-SS S. Procedures must exist to periodically validate correct 
^hardware, firmware, and software elements of the SSS. 

ts. In addition to those requirements stated in SSS-2, SSS-3 includes 


the followingrequirements. 


(1) SSS Isolation . The SSS must maintain a domain for its own execution that protects it 
from external interference and tampering (e.g., by reading or modifying its code and 
data structures). 


(2) Policy Descriptio n. A description of the security policy model enforced by the SSS 
must be documented with an explanation that shows it is sufficient to enforce the 
security policy. All interfaces to the SSS must be included in the explanation. 


d. 


Profile Requiremen ts. 
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Requirements 

1 

Confid 

2 

mtiality ] 

3 

J rotection 

4 

Level 

5 

6 

Security Support Structure 

SSS-1 

SSS-1 

SSS-2 

SSS-2 

SSS-3 

SSS-3 


Requirements 

Intei 

Low 

*rity Level of Cone 

Medium 

ern 

High 

Security Support Structure 

SSS-1 

SSS-2 

SSS-3 


Requirements 

Availability Leu^^^bui 
Low ^^leo^yn j 

icern 

High 

Security Support Structure 

SSS-1 

^S-2X 

SSS-3 


17. SECURITY TESTING fST ). Certification and^o 
operation of a system’s protection measures. 




testing are used to verify correct 


a. ST-1 Requirements . 

(1) Certification Testin g. ^eMLficatio Jtesting must include security function verification 
tests, tests to verify thaWa^lMmy functions do not have any undesired effect(s) on 
the information J^l^^jgLto verify that the security functions perform correctly 
when activ ated witn^bnormal input values, and documentation of the test results. 

tSJ 

( 2 ) 


Ong o 

to (Jr ure that 



Ongoing security performance testing must be conducted regularly 
system’s security features continue to function correctly. The 


c. 


on®ing secwity performance tests may include all or parts of the security function 
ven^^ljj^rand certification tests. The methods for determining that these features 
continue to be implemented during the life cycle of the information system (e.g., after 
system updates) must be documented. 

ST-2 Requirements . In addition to those requirements stated in ST-1, ST-2 includes the 
following requirements. 


Certification Test Reportin g. Certification testing provides assurance that the information 
system is operating in accordance with the approved IS SR The certification test results, 
when satisfactory, provide the DAA with supporting documentation for the accreditation of 
the information system. 
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(a) Certification Test Plan s. The certification test plan must confirm that the information 
system has been implemented and is operating in accordance with the ISSP. If the 
security features of the information system, as specified in the ISSP, are expected to 
restrict user access, for example, these features must be tested to ensure that they are 
implementing the specified security requirements. 

(b) Documentatio n. The results of certification tests and an analysis of the results must be 
documented. 


d. ST-3 Requirements . In addition to those requirements stated in ST-2, ST-3 includes the 
following requirements. 

(1) Penetration Testin g. Ongoing periodic penetration te^IfT^fct be performed to 
identify major or obvious vulnerabilities in the syst^^The t«t methodology and 
procedures must be described in a security tesy^i. ing penetration tests 

may include all or parts of the security functi* vq^catjOTitests. 


e. 


(2) Independent Validation and Verificatio l^^n IV8^(ream must assist in the 

certification testing of an in formalin sys^taar^must perform validation testing of the 
system as required by the DAA^T f 

Profile Requiremen ts. 



t 

Requirements ~ 


•^Confidentiality Protection 

2 3 4 

Level 

5 

6 

Security Testing^^^i 


ST-2 

ST-2 

ST-3 

ST-3 

ST-3 


U' 

Integrity Level of Concern 

Requirements 

Low 

Medium 

High 

Security Testing 

ST-1 

ST-2 

ST-3 


18. TRUSTED PATH (TPi . Users often need to perform functions, such as authentication, through 
direct interaction with the SSS. A trusted path ensures that the user is communicating directly 
with the SSS. Trusted path exchanges may be initiated by a user or the SSS. A user response 
via the trusted path guarantees that untrusted processes cannot intercept or modify the user’s 
response. 
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VII-19 (and VII-20) 


a. TP-1 Requirement s. 

Authentication Pat h. The information system must support a trusted path between itself and 
the user for initial identification and authentication. 





DOE M 471.2-2 
8-3-99 


CHAPTER VIII 


VIII-1 


REQUIREMENTS FOR INTERCONNECTED SYSTEMS 


1. INTERCONNECTED SYSTEMS MANAGEMENT . The characteristics and capabilities of 

classified information systems implemented as networks require special protection considerations. 
This chapter imposes additional requirements on a network or expands on the protection 
requirements stated in Chapters VI and VII as they apply to a network. 


When connecting two or more networks, the DAA(s) must review the security attributes of 
each network (even if the networks are accredited at the same protection level) to determine 


whether the combination of data and/or the combination 
requires a higher protection level. 

A unified network is a connected collection of sy: 
under a single ISSP, (2) as a single entity, and (3) 
be as simple as a small stand-alone LAN op^ting 
security policy, accredited as a single enl^, arwhad 
Conversely, it can be as complex as 
wide area but still following a si 



the connected network 


DAA. The perimeter of each 
attached devices. Its boundary 


An interconnected ne< 
and/or networks. Each' 
system services 
accreditatio 
network 

implem^tations 
network 



that are accredited (1) 
>AA. Such a network can 
ction Level 1, following a single 
stered by a single IS SO. 
o’Wundreds of LANs separated over a 
cy, accredited as a single entity by a single 



work en^^asses all its hardware, software, and 
xtends f > all of its users. 


prised of two or more separately accredited systems 
arateiy accredited system or network maintains its own intra¬ 
protects its own resources, and retains its individual 
ating system or network has its own ISSO. The interconnected 
SSS capable of adjudicating the different security policy 
e participating systems or unified networks. An interconnected 
accreditation as a unit. 


d. Systems that process information at differing classification levels or with differing 

compartmentation (i.e., at least two kinds of information that require different formal access 
approvals) can be interconnected if- 


(1) they are interconnected through a controlled interface (as defined below) that provides 
the separation appropriate to the combination of the level(s) and compartment(s) being 
processed on both systems; 

(2) both systems are operating at the same protection level (both systems must be 
accredited to protect the information being transferred); or 
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(3) both systems are accredited to process the level(s) and compartment(s) of information 
that they will receive, and at least one system is accredited to provide appropriate 
separation for the information being transferred. 


e. Any classified information system connected to another system that does not meet either 
Paragraph ld(2) or ld(3) above must use a controlled interface(s) that performs the 
following. 

(1) A communication of lower classification level from within the system perimeter must be 
reviewed for classification before being released. 

(2) A classified communication from within the system perimeter must have the body and 
attachments of the communication encrypted with th^^p^kjate level of encryption 
for the information, transmission medium, and tamely stem. 


(3) Communications from outside the system p 
the addressee (i.e., the controlled interface mils' 
and release the communication only orlkgquest 
exists in the communication, it imj|^>e e^wp 




encryption for the information, $ ion medium, and target system. 



2. CONTROLLED INTERFACE FU 


a. The functions of the contronkd r 



ustlfhve an authorized user as 
e user of the communication 
e user). If classified information 
with the appropriate level of 


include- 


(1) providing a secure^kint omnterconnection between networks, connected peripheral 
devices, ren^^tanmn^ls, or remote hosts; 


(2) prowd 


exchange of security-related information; and 


(3) filtfcng inhumation in a data stream based on associated security labels for data 
contc 


b. Controlled interfaces have several characteristics including the following. 


(1) There are no general users on the controlled interface 

(2) There is no user code running on the controlled interface. 

(3) The controlled interface provides a protected conduit for the transfer of user data. 

(4) Communications from outside the perimeter of the system must be reviewed for viruses 
and other malicious code. 


3. CONTROLLED INTERFACE REQUIREMENT S. The controlled interface must have the 
following properties. 
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VIII-3 (and VIII-4) 


a. Adjudicated Difference s. The controlled interface must be implemented to monitor and 
enforce the network protection requirements and to adjudicate the differences in security 
policies. 

b. Routing Decision s. The controlled interface must base its routing decisions on information 
that is supplied or alterable only by the SSS. 

c. Restrictive Protection Requiremen ts. The controlled interface must support the protection 
requirements of the most restrictive of the attached networks or information systems. 


d. User Code . The controlled interface must not run any user code. 


4 . 


e. 


f. 


Fail-secure . The controlled interface must be implemente 
result in no loss of confidentiality or unacceptable exp 

Communication Lim its. The controlled interface 
and connections that are not explicitly permitted are" 


Technical Protection Requiremen ts. 
Level 3 are usually adequate for the 
In general, such systems have 
maintainers. The controlled in, 
who use the controlled int^fai 
controlled interface applica 
appropriate for the sy 
protection provided by m^contf 





11 possible failures must 
f integrity or availability. 


t communication policies 


associated with i* 
applications^ us 



ction requirements for Protection 
the controlled interface is operating, 
’rs; that is, system administrators and 
face ma^f^e a large number of clients; that is, individuals 
nal capabilities in a severely constrained way. The 
st provide the more stringent technical protections 
^tion level. Multiple applications do not affect the overall 
led interface if each application (and the resources 


from unauthorized access or circumvention from other 


ASSURANCES FOR ■ONTROLLED INTERFACES . Each controlled interface must be 
tested and evaffl^te^^ensure that the controlled interface, as implemented, can provide the 
separation required for the system’s protection level. Specifically, the platform on which the 
controlled interface runs does not necessarily have to provide the needed separation alone. 
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CONTRACTOR REQUIREMENTS DOCUMENT 

1. Purpose . This Contractor Requirements Document (CRD) is issued to aid procurement request 

initiators in identifying Classified Information Systems Security Program requirements that must be 
incorporated into contracts by contracting officers. All contractor responsibilities must be 
accomplished in compliance with DOE M 471.2-2, CLASSIFIED INFORMATION 
SYSTEMS SECURITY MANUAL. 


Management Structur e. The contractor must assign individuals to serve as Classified Information 
Systems Security Site Managers (ISSMs) and Classified Information Systems Security Officer(s) 
(ISSOs). _ 

Classified Information Systems Security Site Manager USS Mn^he IS»1 is responsible for 
implementing the Classified Information Systems Securit^Progivl ^ay fle site. A separate ISSM 
may be appointed for information systems in a Sensitiv^Cona^rtmOTted Information Facility 
(SCIF) if the site determines that another ISSM is needea^Mthu^apacity, the ISSM also 
functions as the site point of contact for all classd^l information systems security issues. The 
ISSM carries out the following responsibility 


a. 


e. 

f. 


Ensures the development, docum 
education, awareness, and trai 
personnel, data custodians^au 
but is not limited to, variou: 
education bulletins, ti 
educational aids. 





ti8|^andjpesentation of information systems security 
activinl^mr site management, information security 
is training and awareness program must include, 
ns of classes (both self-paced and formal), security 
computer-aided instruction, security briefings, and related 


Ensures the deve*pT™|^acumentation, and presentation of information systems security 
training f™^Bcort«prnformation systems operational areas. 

Establish, docuguMts, implements, and monitors the Classified Information Systems 
Security^rcgrau^for the site and ensures site compliance with DOE requirements for 
i n f o r m a t i o nsyste m s. These include the baseline protection requirements common to all 
systems, which are detailed in DOE M 471.2-2, Chapter VI. 

Ensures the development of procedures for use in the site Classified Information Systems 
Security Program. 

Identifies and documents unique threats to information systems at the site. 

Ensures that the site’s Classified Information Systems Security Program is coordinated with 
the Site Safeguards and Security Plan or the Site Security Plan (see DOE O 470.1, 
SAFEGUARDS AND SECURITY PROGRAM, Chapter I). 


g. Coordinates the following: 
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(1) implementation of the site Classified Information Systems Security Program with the 
other site programs, as appropriate, such as Classified Matter Protection and Control, 
Personnel Security, Physical Security, Communications Security, Protected 
Transmission Systems, TEMPEST, and Materials Control and Accountability; 

(2) development of a site self-assessment program for the Classified Information Systems 
Security Program; and 

(3) self-assessment of the site’s Classified Information Systems Security Program, which is 
to be performed between operations office surveys. 


h. Ensures the development of site procedures to- 


J- 


(1) govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and 
destroying media and equipment containing classified k^g^ation; 

(2) ensure that vendor-supplied authentication features passwords, account names) 
or security-relevant features are properly implefl^itec^ 


(3) report classified information systems securit 

(4) require that each classified informatio 
responsibility (Code of Conduct) fi 
classified information; 


(5) detect malicious code, viru^flpnO^ 

(6) review and approve Clas: 
certification test plan^n 


Determines, using gu 
confidentiality, integrit; 
information. 

Certifies 
implem 
that the 





gn an acknowledgment of 
f classified information systems and 


s (hackers); and 

ron Systems Security Plans (ISSPs), 
'tion test results. 




the data custodian(s), the appropriate levels of concern for 
ability for each information system that processes classified 


Approving Authority (DAA), in writing, that each ISSP has been 
specified protection measures are in place and properly tested, and 
nformation system is functioning as described in the ISSP. 

RecommericT^T) the DAA, in writing, approval or disapproval of the ISSP test results and 
the certification statement. 


l. Ensures that the DAA is notified when a system no longer processes classified information, 
or when changes occur that might affect accreditation. 

m. Participates in information systems security training sponsored by the Classified Information 
Systems Security Program Manager (ISPM) within 1 year of his/her appointment. 

n. Ensures that personnel are trained on the information system’s prescribed security 
restrictions and safeguards before they are initially allowed to access a system. 


4. Classified Information Systems Security Officer fIS SOl. 
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a. Ensures implementation of security measures for each classified information system for which 
he/she is responsible. 

b. Identifies and documents any unique threats to classified information systems for which 
he/she is the ISSO and forwards them to the ISSM. 


c. If so directed by the DAA and/or if an identified unique local threat exists, performs a risk 
assessment to determine if additional countermeasures beyond those identified in DOE M 
471.2-2 are required. 

d. Develops and implements a certification test plan for each classified information system for 
which he/she is the ISSO, as required by DOE M 471.2-2 and the DAA. 


e. 

f. 

g- 

h. 


j- 

k. 


Prepares, maintains, and implements an ISSP that accurately reflects the installation of 
protection measures for each classified information system fo^^jrich he/she is responsible. 


Maintains the record copy of the ISSP and related docur 
information system for which he/she is the ISSO. 

Notifies the DAA (through the ISSM) when a sys? 
information or when changes occur that migjjt affect 

Ensures the following: 

(1) that the sensitivity level of the 1 
information system and thai 
this information; 


( 2 ) 


( 3 ) 


that unauthorized perS^oni 
information system; an 




each classified 

processes classified 
ation. 


letermined prior to use on the classified 
Trity measures are implemented to protect 

granted use of, or access to, a classified 


that formal access fl^itrolsare implemented for each classified information system, 
except stan^^l^me^pnal computers and stand-alone workstations. 

Documentary spl 1 protection requirements identified by the data custodians and the 


protect! 
the clas 




plemented to fulfill these requirements for the information contained in 
ation system. 

Ensures thaTOTufidentiality, integrity, and availability levels of concern are determined for 
each classified information system for which he/she is responsible. 

Implements site procedures to- 


(1) govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and 
destroying media and equipment containing classified information; 

(2) ensure that vendor-supplied authentication features (e.g., passwords, account names) 
or security-relevant features are properly implemented; 

(3) report classified information systems security incidents; 

(4) require that each classified information system user sign an acknowledgment of 
responsibility (Code of Conduct) for protecting classified information systems and 
classified information; 
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(5) detect malicious code, viruses, and intruders (hackers); and 

(6) review and approve ISSPs, certification test plans, and certification test results. 

l. Ensures that users are properly trained in system security by identifying classified information 
systems security training needs (including system-specific training) and personnel who need 
to attend system security training programs. 

m. Conducts ongoing security reviews and tests of classified information systems periodically to 
verify that security features and operating controls are functional and effective. 

n. Evaluates proposed changes or additions to the classified information systems and advises 
the ISSM of their security relevance. 


5. Classified Information Systems Application Owner/Data Custo dia. 
responsible for information systems applications and/or custod 
following responsibilities. 


a. 


b. 


Determine and declare the sensitivity level of info 
processed, stored, transferred, or accessed on the cla^ 



ontractor personnel 
ust accomplish the 


Advise the IS SO of any special protect^ 
the classified information system. 


rec 


prjar to the information being 
leci^formation system. 

for information to be processed on 


c. Determine and document the dma and aapTJf5tion(s) that are essential to fulfill the site 
mission and ensure that requirements fgf contingencies are determined, implemented, and 
tested. 

d. Ensure that inforjaation^Drocessed on a classified information system that is accredited at a 
level sufficient toE^^yn^nformation. 

e. Declare J^^^nsecmEices of losing information confidentiality, integrity, and availability. 


6. Users of Classn 


formation Syste ms. Contractor personnel who use classified information 


systems must accomplish the following. 


a. Comply with the Classified Information Systems Security Program requirements. 

b. Be aware of and knowledgeable about their responsibilities in regard to classified 
information systems security. 

c. Be accountable for their actions on a classified information system. 

d. Ensure that any authentication mechanisms (including passwords) issued for the control of 
their access to classified information systems are not shared and are protected at the highest 
classification level and most restrictive classification category of information to which they 
permit access. 
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e. Acknowledge, in writing, their responsibilities (Code of Conduct) for protecting classified 
information systems and classified information. 

f. Participate in training on the information system’s prescribed security restrictions and 
safeguards before initial access to a system. As a follow-up to this initial training, participate 
in an ongoing security education, training, and awareness program. 


7. Site Security Plan and Site Safeguards and Security P lan. The contractor must prepare a Site 
Security Plan or (SSP) or Site Safeguards and Security Plan (SSSP), which must include a site 
risk assessment and the information detailed in DOE O 470.1, SAFEGUARDS AND 
SECURITY PROGRAM. 



8. Site Risk Assessmen t. 

a. Site risk assessments must include the Departments^ Clal 
Security Risk Assessment developed by DOE as a^sej^re. 

b. Site risk assessments must identify any site 
unique to the site. 


c. Site risk assessment results mustta^ld^mentwand used to augment, as needed, the 

Classified Information System^rotectior^^oriles to be applied to information systems at 
the site. 


formation Systems 


and any protection technologies 


9. Protection Profile s. The cg 
in implementing a Classifiec 
comply with the requif" 

10. Certification 



st develop a protection profile for the site as the first step 
ormaTIon Systems Security Program. The protection profile must 
hapter IV of DOE M 471.2-2. 


Ron. The contractor must comply with the certification and 


accreditation fcquiremMit?’of Chapter V of DOE M 471.2-2. Certification confirms that the 
Classified Info^^^^Systems Security Program protection measures have been implemented 
correctly in accordance with the protection profile. Accreditation, which is performed by the 
DOE DAA, grants authority to operate the Classified Information Systems Security Program. 


11. Independent Validation and Verificatio n. For information systems intended to operate in 
Protection Level 5 or 6, the contractor must conduct and fund an Independent Validation and 
Verification review. 


12. Reaccreditation . The ISSO and ISSM must work with the Classified Information Systems 
Security Operations Manager (ISOM) to review proposed modifications to information systems 
to determine their effect on the system protections. 

13. Incident Reportin g. Contractor personnel must report to the ISOM any incidents that may affect 
DOE or national interests. (Incidents may be reported via telephone or other electronic means.) 
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The report must include at least the location of the incident, possible effect on DOE or national 
interests, a description of the incident, and a description of the actions that were taken to protect 
information after the incident was discovered. All individual(s) collecting information about or 
reporting an incident must ensure that any sensitive or classified information involved in the 
incident or report is properly protected. All information reported must comply with DOE M 
471.2-2. 


14. Self-Assessment s. The ISSM must ensure that periodic self-assessments of the site’s program 
are performed. Upon completion of each review, the ISSM must ensure that a corrective action 
plan is prepared and implemented for all findings or vulnerabilities as directed by DOE O 470.1, 
Chapter IX, Paragraph 10a. A record of each review and the subsequent corrective action plan 
must be retained and made available during future surveys and ins pect ions. 

15. Graded Requirement s. The ISSM must ensure that the Classif{*lInfor™tion Systems Security 
Program is implemented according to the graded requirerj^ts d^^irjjpn Chapter VII of DOE 
M 471.2-2. 


16. Interconnected System s. The ISSM must implerrihrt the aduHfonal requirements in Chapter VIII 
of DOE M 471.2-2 for classified information^sten^imnjrfhented as networks. 
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ATTACHMENT 2 


DEFINITIONS 


ACCREDITATION . The formal acknowledgment (written or electronic) of the designated approval 
authority’s decision to authorize an information system to process, store, transfer, or provide access to 
classified information in a specific information system’s security environment established by a specific 
Classified Information Systems Security Plan (ISSP). 


AVAILABILITY . The attribute of information being in the place, at the time, and in the form needed 
by the user. Denotes the goal of ensuring that information and information processing resources both 
remain readily accessible to their authorized users. 

BOUNDARY . The conceptual limit of an information system that s 111 directly and indirectly 

connected users who receive output from the system without ty^ra Preview by an 

appropriately authorized or cleared authority. 


CLASSIFIED INFORMATION SYSTEMS SECURI' 
responsible for ensuring that protection measuresinsti 
one or more specific classified information systmjs} 


CLASSIFIED INFORMATION SYSTEI 
DOE employee who is the technical 
for ensuring that security is provided 
information system. 


CLASSIFIED INFORMA 
DOE employee appol 
for the developme 
classified informa 




SSO). The person 
operational security is maintained for 


SECUR^TOPERATIONS MANAGER (ISOM ). A 
responsible to the Designated Approval Authority (DAA) 
mented throughout the life cycle of a classified 


IMS SECURITY PROGRAM MANAGER fISPM l. The 
fetor of the Office of Safeguards and Security to be responsible 
Slides, standards, guidelines, and procedures for the protection of 
Tation systems. 


CLASSIFIED INFORMATION SYSTEMS SECURITY SITE MANGER USSM 1. The manager 
responsible for a site Classified Information Systems Security Program. 


CLEARING . Removal of data from an information system or media, performed so that the data may 
not be reconstructed using normal system capabilities (i.e., through the keyboard). NOTE: Clearing 
of classified information from media does not permit the reuse of the media at a lower classification level 
or in an unclassified mode. 


CONFIDENTIALITY The critical information attribute of being inaccessible except to persons or 
processes that have an authorization and a legitimate need to know that information. 

DATA CUSTODIAN . The person responsible for having information reviewed for sensitivity and 
classification. This person is responsible for its generation, management, and destruction. 
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DESIGNATED APPROVING AUTHORITY (DAA ). The official with the authority to formally grant 
approval for operating a classified information system; the person who determines the acceptability of 
the residual risk in a system that is prepared to process classified information and either accredits or 
denies operation of the system. 

INFORMATION SYSTEM . As defined in National Security Telecommunications and 
Information Systems Security (NSTISSC) 4009, National Information Systems Security 
(INFOSEC) Glossary, dated 5 June 1992, “any telecommunications and/or computer related 
equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, 
manipulation, management, movement, control, display, switching, interchange, transmission, or 
reception of voice and/or data, and includes software, firmware, and hardware.” NOTE: 
Communications Security (COMSEC) and Technical Surveillance Countermeasures (TSCM) 
requirements are contained in other directives. 


INTEGRITY . The information attribute of being a true, comp] 
even when undergoing changes in form or storage medium. 

LEVELS OF CONCERN . An expression of the cons 
availability, or confidentiality. 


PERIMETER . All those components of the 
a rule, separately accredited components re not 
are within the boundary. 


PROTECTION LEV 
between two sets ojffects 
need-to-know of u! 
level indicates an i 




n of its original content, 


s of the information’s integrity. 


tern that are to be accredited. NOTE: As 
within the perimeter, but those components 


PRESUMPTIVE NEED TO to know” by reason of association or assignment to 

the area in which the data is expo^Lfe.g.^or a janitor, guard, etc). 


on level for confidentiality as determined by the relationship 
the access authorizations, formal access approval(s), and 
nd, the level of concern for confidentiality for the system. Protection 
el of trust placed in the system’s technical capabilities. 


RESIDUAL RISK . The remaining risk of operating a classified information system after application of 
mitigating factors. NOTE: Such mitigating factors often include, but are not limited to- 

• minimizing initial risk by selecting a system known to have fewer vulnerabilities, 

• reducing vulnerabilities by implementing countermeasures, 


reducing consequence by limiting the amounts and kinds of information on the system, and 


using classification and compartmentation to lessen the threat by limiting the adversaries’ 
knowledge of the system. 
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SANITIZATION . The removal of information from media or equipment such that data recovery using 
any known technique or analysis is prevented. NOTE: Sanitization must include the removal of data 
from the media or equipment, as well as the removal of all sensitivity or classified labels, markings, and 
activity logs. 

SITE MANAGER . The person responsible for management of all activities at a site. 


USER . An individual who can receive information from, input information to, or modify information on 
an information system without an independent human review. In a processing context, this also includes 
a process acting on behalf of a user. 


Direct User . A user with physical or electronic access to any component of the information 
system. 


Indirect User . A user with access to information from thej^rorm 
independent human review, but who does not have phy^al 
itself. 



tern without an 
access to the system 


Privileged Use r. A user with access to contro^fhonHkrinjj^Rr administration functions of the 
information system (e.g., system administ]®)r,^ltern^Fcurity officer, maintainers, system 
programmers, etc.). NOTE: It is ofte^^n^mentj^efer to a user who is NOT a privileged 
user as a general user. ^ 




